CORS and HTTP basic auth

2020-02-05 06:44发布

How would a preflighted HTTP request look like if you include Basic auth? Like the following conversation? Im having trouble to understand which headers need to be sent where, also because its not possible to debug it properly with Firebug

Client:

OPTIONS /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true

Client:

GET /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Access-Control-Allow-Credentials: true
Origin: http://jsconsole.com

Server:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Authorisation Required"

Client:

GET /api/resource HTTP/1.1
Access-Control-Allow-Credentials: true
Authorization: Basic base64encodedUserAndPassword
Access-Control-Request-Method: GET
Origin: http://jsconsole.com

Server:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true

标签： http web-applications cors basic-authentication asp.net-web-api

1条回答

戒情不戒烟

2楼-- · 2020-02-05 07:19

If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too.

0人赞添加讨论(0) 举报

CORS and HTTP basic auth

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间