{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 倾城 Initia 的问题《How to make XMLHttpRequest cross-domain withCreden》','https://www.manongdao.com/q-119167.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm unable to make a cross-domain request with an Authorization header (testing with Firefox). I have requests working without authentication, but once I set withCredentials to true I am no longer able to read the response from the server.
On the server I send back these headers (using an after_request method in Flask):
resp.headers['Access-Control-Allow-Origin'] = '*'
resp.headers['Access-Control-Allow-Credentials'] = 'true'
resp.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS'
resp.headers['Access-Control-Allow-Headers'] = 'Authorization'
No OPTIONS call is ever actually made by Firefox. On the client I make an XMLHttpRequest call:
var xhr = new XMLHttpRequest()
xhr.open( 'POST', 'http://test.local:8002/test/upload', true)
xhr.withCredentials = true
xhr.onreadystatechange = function() {
console.log( xhr.status, xhr.statusText )
}
xhr.send(fd)
Without withCredentials set the log statement will log the expecting information to the console. Once I set the value however the xhr doesn't allow access and I just write a 0 value and an empty string. I haven't set the authorization header here, but that shouldn't affect my ability to read the result.
If I attempt to add a username/password to the "open" command I get a NS_ERROR_DOM_BAD_URI: Access to restricted URI denied error.
What am I doing wrong?
I've written an article with a complete CORS setup.
I found several issues that can result in this problem:
Access-Control-Allow-Origincannot be a wildcard if credentials are being used. It's easiest just to copy theOriginheader of the request to this field. It's entirely unclear why the standard would disallow a wildcard.OPTIONSrequest. To aid in debugging I added the headerAccess-Control-Max-Age: 1opencommand is apparently not usable as the credentials. You must add anAuthorizationheader yourself.xhr.setRequestHeader( 'Authorization', 'Basic ' + btoa( user + ':' + pass ) )Overall the
withCredentialssystem is rather braindead. It's easier to simply write a server that accepts the authorization as part of the body of the request.