We are developing a mobile site using html5, jQuery(1.8.2) and jQuery mobile while making jQuery ajax calls (get and post).
After we changed our domain name, we are getting "access denied" for ajax calls on ie9.
We tried to include jquery.iecors.js
. But still we are getting the same error.Is there any resolution for this?
我们正在开发一个使用html5、jQuery(1.8.2)和jQuery mobile的移动站点,同时进行jQuery ajax调用(get和post)。在我们更改了域名之后,我们获得了对ie9的ajax调用的“访问拒绝”。我们尝试包含jquery.iecors.js。但我们还是得到了相同的误差。有什么解决办法吗?
Sample Code:
示例代码:
$.support.cors = true;
$.ajax({
cache: false,
async: true,
crossDomain: true,
timeout: 600000,
url: baseUrl + '/SmartTouch/restServices/PrefferedHotels',
type: 'GET',
beforeSend: function (xhr) {
xhr.setRequestHeader("Authorization", "Basic " + myencoded);
},
contentType: "application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8",
success: function (data) {
alert("success");
},
error: function (jqXHR, textStatus, errorThrown) {
alert("error!!::" + JSON.stringify(jqXHR));
alert('response: ' + jqXHR.responseText);
alert('code: ' + jqXHR.getResponseHeader('X-Subscriber-Status'));
alert("textStatus " + textStatus);
alert("errorThrown " + errorThrown);
}
});
Edited:
编辑:
beforeSend: function (xhr) {
xhr.setRequestHeader("Authorization", "Basic " + myencoded);
xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
xhr.setRequestHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS");
},
contentType: "application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8",
success: function (data) {
alert("success");
},
error: function (jqXHR, textStatus, errorThrown) {
alert("error!!::" + JSON.stringify(jqXHR));
Request and Response headers in IE9:
IE9中的请求和响应头:
Request:
Key Value
Request GET url HTTP/1.1
Accept text/html, application/xhtml+xml, */*
Accept-Language en-US
User-Agent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding gzip, deflate
Proxy-Connection Keep-Alive
Host ("url")
Pragma no-cache
Cookie GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utmc=24444716; __utma=24444716.47018335.1379597653.1380274476.1380276859.17; __utmz=24444716.1379597653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=24444716.6.10.1380276859
Response:
Key Value
Response HTTP/1.1 200 OK
Server Apache-Coyote/1.1
X-Powered-By Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Accept-Ranges bytes
ETag W/"64578-1380266616000"
Last-Modified Fri, 27 Sep 2013 07:23:36 GMT
Content-Type text/html
Date Fri, 27 Sep 2013 10:17:01 GMT
Content-Length 64578
Age 0
Via 1.1 localhost.localdomain
6 个解决方案
#1
2
This kind of Content-Type
looks strange:
这种内容类型看起来很奇怪:
application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8"
I can imagine the IE has as problem with it.
我可以想象IE也有同样的问题。
Try the proper one:
试着正确的:
application/x-www-form-urlencoded; charset=UTF-8
^-- notice: no dot!
It's also possible for the IE to have problems with the authorization. Maybe myencoded
is out of the scope or not filled correctly. Debug this variable and have a look at this question: Authorization through setRequestHeader
IE也有可能在授权上出现问题。也许我的编码已经超出了范围或者没有正确填写。调试这个变量并查看这个问题:通过setRequestHeader进行授权
#2
1
If you want the Ajax url to be hit from any domain, the server must send a response header Access-Control-Allow-Origin : * or Access-Control-Allow-Origin : your-domain if restricted only to your domain.Can you see these headers in response?
如果希望从任何域访问Ajax url,服务器必须发送响应头访问-控制-允许-起源:*或访问-控制-允许-起源:您的域,如果仅限于您的域的话。你能看到这些标头的响应吗?
#3
1
See this Microsoft article on CORS implementation on IE8 and IE9: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
请参阅微软关于IE8和IE9的CORS实现的文章:http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest- limitationandworkounds.aspx
Specifically they say two things:
具体来说,他们说了两件事:
- No custom headers may be added to the request
- 不可以向请求添加自定义头
and
和
- No authentication or cookies will be sent with the request
- 不会随请求一起发送任何身份验证或cookie
And you mentioned in your comment:
你在评论中提到
Our problem is we are doing basic authorization and including following header: xhr.setRequestHeader("Authorization", "Basic " + myencoded); in our ajax call.But in ie9 we are getting access denied.Is there any way to include this header?
我们的问题是我们正在做基本的授权,包括下面的标题:xhr。setRequestHeader(“授权”、“Basic”+ myencoded);在我们的ajax调用。但是在ie9中,我们被拒绝访问。有没有办法包括这个标题?
Unfortunately, the answer I'll have to give you is no, there is no way to include this header in IE8 or IE9. Microsoft designed it that way.
不幸的是,我要给你的答案是不,没有办法在IE8或IE9中包含这个标题。微软就是这样设计的。
To get it to work with CORS on IE9 you'll have to convince the site you're connecting to to allow you to send authorization information some other way - maybe query params or post data.
为了让它与IE9上的CORS一起工作,你必须说服你所连接的站点允许你以其他方式发送授权信息——可能是查询params或post数据。
If the site is not cooperative there's always the request proxy work-around where you request to a page on your server and you server forwards the request with the correct header etc.
如果网站不合作,总有一个请求代理工作,你请求到你服务器上的一个页面,你的服务器用正确的报头转发请求,等等。
#4
1
You seem confident that the issue has nothing to do with the suggested jQuery bug (especially since you're using jquery.iecors.js
) so I'll move right on.
您似乎确信这个问题与建议的jQuery bug没有任何关系(特别是因为您使用的是jQuery .iecors.js),因此我将继续讨论。
-
What is the significance of the "edited" bit?
Access-Control-Allow-Origin:*
should be set on the response (i.e. server-side, as part of Apache/IIS/F5 configuration), not on the request. Edit: there is more information available on MDN; you could also use something like burp's tampering proxy to play with the headers if you don't have immediate access to config changes (pretty common in an enterprise environment)“编辑”的意义是什么?访问控制允许的来源:*应该设置在响应上(即服务器端,作为Apache/IIS/F5配置的一部分),而不是在请求上。编辑:MDN上有更多的信息;如果不能立即访问配置更改(在企业环境中非常常见),还可以使用burp的篡改代理来处理头文件
-
Even if not an issue, @DanFromGermany is absolutely right - content-type does look strange. You shouldn't even have to set it manually,
jQuery.ajax()
has it correct by default.即使不是问题,@DanFromGermany也是绝对正确的——content-type看起来确实很奇怪。您甚至不必手动设置它,jQuery.ajax()在默认情况下是正确的。
-
You also seem concerned with setting the basic authentication header. Remember that
myencoded
value is just encoded (not encrypted), so you might as well skip the header and pass credentials in the URL:http(s)://username:password@www.example.com/
您似乎还关心设置基本的身份验证头。记住,my编码的值只是编码的(不是加密的),所以您可以跳过header并在URL中传递凭证:http(s)://用户名:password@www.example.com/。
Moar edit:
Moar编辑:
Looking through those MDN docos above, this seems relevant:
通过上面的MDN docos,这似乎是相关的:
By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.
默认情况下,在跨站点XMLHttpRequest调用中,浏览器不会发送凭据。在调用XMLHttpRequest对象时,必须在该对象上设置一个特定的标志。
Perhaps try adding xhr.withCredentials = true;
to your beforeSend
?
也许尝试添加xhr。withCredentials = true;beforeSend ?
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *. Since the Access-Control-Allow-Origin explicitly mentions http://foo.example, the credential-cognizant content is returned to the invoking web content.
重要提示:当响应授权请求时,服务器必须指定一个域,并且不能使用粗梳。如果标头被通配符为:Access-Control-Allow-Origin: *,则上述示例将失败。由于访问控制允许的源显式地提到了http://foo。例如,凭证识别内容被返回到调用的web内容。
This would invalidate previous advice of using an asterisk in the header (i.e. explicit domain is required)
这将使以前在标题中使用星号的建议无效(即需要显式域)
#5
0
If you were using windows based hosting?
如果你使用的是基于windows的主机?
Please check old configs for the IIS, if available,
请查看IIS的旧配置,如果有,
there are security provisions which will allow content by its type,
有安全条款允许内容按其类型,
add this response header <% Response.AddHeader("Access-Control-Allow-Origin","*") %>
in your page also.
在您的页面中添加这个响应头<% Response.AddHeader(“访问控制允许源”,“*”)%>。
or refer the source link to MSDN for more details
或参考源链接到MSDN以了解更多细节
I think you have updated this in edits but there are many things as its AJAX involved, and your IE9 may also one of the reason if you have changed security options and not default.
我认为您已经在编辑中更新了它,但是它涉及到AJAX的很多东西,如果您更改了安全选项而不是默认设置,那么您的IE9可能也是原因之一。
I think that should do, if not please reply
我想应该可以,如果不可以,请回复
#6
0
You can try this
你可以试试这个
<meta http-equiv="X-UA-Compatible" content="IE=Edge" >
It forces the browser the render at whatever the most recent version's standards are. For reference http://msdn.microsoft.com/en-us/library/ie/ms533876%28v=vs.85%29.aspx
它迫使浏览器呈现最新版本的标准。供参考http://msdn.microsoft.com/en-us/library/ie/ms533876%28v=vs.85%29.aspx
#1
2
This kind of Content-Type
looks strange:
这种内容类型看起来很奇怪:
application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8"
I can imagine the IE has as problem with it.
我可以想象IE也有同样的问题。
Try the proper one:
试着正确的:
application/x-www-form-urlencoded; charset=UTF-8
^-- notice: no dot!
It's also possible for the IE to have problems with the authorization. Maybe myencoded
is out of the scope or not filled correctly. Debug this variable and have a look at this question: Authorization through setRequestHeader
IE也有可能在授权上出现问题。也许我的编码已经超出了范围或者没有正确填写。调试这个变量并查看这个问题:通过setRequestHeader进行授权
#2
1
If you want the Ajax url to be hit from any domain, the server must send a response header Access-Control-Allow-Origin : * or Access-Control-Allow-Origin : your-domain if restricted only to your domain.Can you see these headers in response?
如果希望从任何域访问Ajax url,服务器必须发送响应头访问-控制-允许-起源:*或访问-控制-允许-起源:您的域,如果仅限于您的域的话。你能看到这些标头的响应吗?
#3
1
See this Microsoft article on CORS implementation on IE8 and IE9: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
请参阅微软关于IE8和IE9的CORS实现的文章:http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest- limitationandworkounds.aspx
Specifically they say two things:
具体来说,他们说了两件事:
- No custom headers may be added to the request
- 不可以向请求添加自定义头
and
和
- No authentication or cookies will be sent with the request
- 不会随请求一起发送任何身份验证或cookie
And you mentioned in your comment:
你在评论中提到
Our problem is we are doing basic authorization and including following header: xhr.setRequestHeader("Authorization", "Basic " + myencoded); in our ajax call.But in ie9 we are getting access denied.Is there any way to include this header?
我们的问题是我们正在做基本的授权,包括下面的标题:xhr。setRequestHeader(“授权”、“Basic”+ myencoded);在我们的ajax调用。但是在ie9中,我们被拒绝访问。有没有办法包括这个标题?
Unfortunately, the answer I'll have to give you is no, there is no way to include this header in IE8 or IE9. Microsoft designed it that way.
不幸的是,我要给你的答案是不,没有办法在IE8或IE9中包含这个标题。微软就是这样设计的。
To get it to work with CORS on IE9 you'll have to convince the site you're connecting to to allow you to send authorization information some other way - maybe query params or post data.
为了让它与IE9上的CORS一起工作,你必须说服你所连接的站点允许你以其他方式发送授权信息——可能是查询params或post数据。
If the site is not cooperative there's always the request proxy work-around where you request to a page on your server and you server forwards the request with the correct header etc.
如果网站不合作,总有一个请求代理工作,你请求到你服务器上的一个页面,你的服务器用正确的报头转发请求,等等。
#4
1
You seem confident that the issue has nothing to do with the suggested jQuery bug (especially since you're using jquery.iecors.js
) so I'll move right on.
您似乎确信这个问题与建议的jQuery bug没有任何关系(特别是因为您使用的是jQuery .iecors.js),因此我将继续讨论。
-
What is the significance of the "edited" bit?
Access-Control-Allow-Origin:*
should be set on the response (i.e. server-side, as part of Apache/IIS/F5 configuration), not on the request. Edit: there is more information available on MDN; you could also use something like burp's tampering proxy to play with the headers if you don't have immediate access to config changes (pretty common in an enterprise environment)“编辑”的意义是什么?访问控制允许的来源:*应该设置在响应上(即服务器端,作为Apache/IIS/F5配置的一部分),而不是在请求上。编辑:MDN上有更多的信息;如果不能立即访问配置更改(在企业环境中非常常见),还可以使用burp的篡改代理来处理头文件
-
Even if not an issue, @DanFromGermany is absolutely right - content-type does look strange. You shouldn't even have to set it manually,
jQuery.ajax()
has it correct by default.即使不是问题,@DanFromGermany也是绝对正确的——content-type看起来确实很奇怪。您甚至不必手动设置它,jQuery.ajax()在默认情况下是正确的。
-
You also seem concerned with setting the basic authentication header. Remember that
myencoded
value is just encoded (not encrypted), so you might as well skip the header and pass credentials in the URL:http(s)://username:password@www.example.com/
您似乎还关心设置基本的身份验证头。记住,my编码的值只是编码的(不是加密的),所以您可以跳过header并在URL中传递凭证:http(s)://用户名:password@www.example.com/。
Moar edit:
Moar编辑:
Looking through those MDN docos above, this seems relevant:
通过上面的MDN docos,这似乎是相关的:
By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.
默认情况下,在跨站点XMLHttpRequest调用中,浏览器不会发送凭据。在调用XMLHttpRequest对象时,必须在该对象上设置一个特定的标志。
Perhaps try adding xhr.withCredentials = true;
to your beforeSend
?
也许尝试添加xhr。withCredentials = true;beforeSend ?
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *. Since the Access-Control-Allow-Origin explicitly mentions http://foo.example, the credential-cognizant content is returned to the invoking web content.
重要提示:当响应授权请求时,服务器必须指定一个域,并且不能使用粗梳。如果标头被通配符为:Access-Control-Allow-Origin: *,则上述示例将失败。由于访问控制允许的源显式地提到了http://foo。例如,凭证识别内容被返回到调用的web内容。
This would invalidate previous advice of using an asterisk in the header (i.e. explicit domain is required)
这将使以前在标题中使用星号的建议无效(即需要显式域)
#5
0
If you were using windows based hosting?
如果你使用的是基于windows的主机?
Please check old configs for the IIS, if available,
请查看IIS的旧配置,如果有,
there are security provisions which will allow content by its type,
有安全条款允许内容按其类型,
add this response header <% Response.AddHeader("Access-Control-Allow-Origin","*") %>
in your page also.
在您的页面中添加这个响应头<% Response.AddHeader(“访问控制允许源”,“*”)%>。
or refer the source link to MSDN for more details
或参考源链接到MSDN以了解更多细节
I think you have updated this in edits but there are many things as its AJAX involved, and your IE9 may also one of the reason if you have changed security options and not default.
我认为您已经在编辑中更新了它,但是它涉及到AJAX的很多东西,如果您更改了安全选项而不是默认设置,那么您的IE9可能也是原因之一。
I think that should do, if not please reply
我想应该可以,如果不可以,请回复
#6
0
You can try this
你可以试试这个
<meta http-equiv="X-UA-Compatible" content="IE=Edge" >
It forces the browser the render at whatever the most recent version's standards are. For reference http://msdn.microsoft.com/en-us/library/ie/ms533876%28v=vs.85%29.aspx
它迫使浏览器呈现最新版本的标准。供参考http://msdn.microsoft.com/en-us/library/ie/ms533876%28v=vs.85%29.aspx