Fatal编程技术网
  • angularjs/
  • AngularJS:拒绝设置不安全的标题“;访问控制请求头“;

AngularJS:拒绝设置不安全的标题“;访问控制请求头“;

angularjs cors

AngularJS:拒绝设置不安全的标题“;访问控制请求头“;,angularjs,cors,Angularjs,Cors,我正在尝试使用AngularJS调用本地运行的RESTAPI。以下是AngularJS代码: $http.defaults.headers.common = {"Access-Control-Request-Headers": "accept, origin, authorization"}; $http.defaults.headers.common['Authorization'] = 'Basic amF5M2RlYzpqYXk='; $http({method: 'GET', url:

我正在尝试使用AngularJS调用本地运行的RESTAPI。以下是AngularJS代码:

$http.defaults.headers.common = {"Access-Control-Request-Headers": "accept, origin, authorization"};

$http.defaults.headers.common['Authorization'] = 'Basic amF5M2RlYzpqYXk=';
$http({method: 'GET', url: 'http://127.0.0.1:5000/user/jay3dec'}).
        success(function(data, status, headers, config) {

        }).
        error(function(data, status, headers, config) {
            alert(data);

        });
但我在浏览器控制台中发现一个错误:

Refused to set unsafe header "Access-Control-Request-Headers"
我尝试使用CURL查询调用运行在的RESTAPI

curl -H "Origin: http://127.0.0.1:8000" -H "Authorization: Basic amF5M2RlYzpqYXk=" http://127.0.0.1:5000/user/jay3dec --verbose
它给出了以下输出:

> GET /user/jay3dec HTTP/1.1
> User-Agent: curl/7.35.0
> Host: 127.0.0.1:5000
> Accept: */*
> Origin: http://127.0.0.1:8000
> Authorization: Basic amF5M2RlYzpqYXk=
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: application/json
< Content-Length: 454
< ETag: bff7b7db33baedb612276861e84faa8f7988efb1
< Last-Modified: Tue, 30 Dec 2014 14:32:31 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: Authorization
< Access-Control-Allow-Methods: HEAD, OPTIONS, GET
< Access-Control-Allow-Max-Age: 21600
< Server: Eve/0.4 Werkzeug/0.9.6 Python/2.7.6
< Date: Sun, 25 Jan 2015 20:00:29 GMT
< 
* Closing connection 0
{"username": "jay3dec", "_updated": "Tue, 30 Dec 2014 14:32:31 GMT", "password": "jay", "firstname": "jay", "lastname": "raj", "phone": "9895590754", "_links": {"self": {"href": "/user/54a2b77f691d721ee170579d", "title": "User"}, "parent": {"href": "", "title": "home"}, "collection": {"href": "/user", "title": "user"}}, "_created": "Tue, 30 Dec 2014 14:32:31 GMT", "_id": "54a2b77f691d721ee170579d", "_etag": "bff7b7db33baedb612276861e84faa8f7988efb1"}

>GET/user/jay3dec HTTP/1.1
>用户代理:curl/7.35.0
>主持人:127.0.0.1:5000
>接受:*/*
>来源:http://127.0.0.1:8000
>授权:基本amF5M2RlYzpqYXk=
> 
*HTTP 1.0,假设在正文之后关闭
任何人都能发现问题所在吗?

隐藏在
$http.defaults.headers.common
后面的代码是

var xhr = createXhr();

xhr.open(method, url, true);
  forEach(headers, function(value, key) {
    if (isDefined(value)) {
        xhr.setRequestHeader(key, value);
    }
  });

...

function createXhr() {
    return new window.XMLHttpRequest();
}
参考,如果标头与以下标头之一不区分大小写匹配,则浏览器将终止

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
...
这就是为什么您不能使用
$http.defaults.headers.common
来设置
访问控制请求头
头。浏览器将为您处理请求头。

问题出在 您应该将服务器端配置为允许在标头中进行授权。我不知道您用于服务器的是什么,但对于我的asp.net web api 2服务器,它看起来像:
Web.config

 <system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
       <add name="Access-Control-Allow-Headers" value="Content-Type,Authorization" />
       <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
     </customHeaders>
   </httpProtocol>
 ......


......
出于安全原因,浏览器不允许head设置了一些安全风险,例如cookie主机引用者等。因此,不要使用浏览器来解析行头。它可以用于代理发送的服务器端集。 参考: