{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《Why is my Drupal 8 CORS setup not working?》','https://www.manongdao.com/q-810996.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Since Drupal 8.2 the cors setup is in core. In my services.yml (and default.services.yml) I have the following setup:
cors.config:
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: ['*']
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: false
# Sets the Access-Control-Max-Age header.
maxAge: 1000
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: true
My domain a.com is htaccess password protected.
On domain b.com I try to load some API from domain a.com:
$.ajaxSetup({
xhrField: {
withCredentials : true
},
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'Basic Z2VuaXVzOmNvYXRpbmdz');
}
});
request = $.ajax({
url: apiBaseUrl + 'api/foobar',
dataType: 'json',
type: 'get',
password: 'foo',
username: 'bar'
});
In chrome it works fine, in firefox I get an error. The request headers:
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Response is 401 "Authorization required", it says request method is OPTIONS (?).
Whats wrong here?
Doing the same request in insomnia works perfectly fine.
Additionally to the working CORS configuration and htaccess setup:
you have to make sure that your ajax setup does not have the
withCredentialsandpasswordandusername, like in my question. This leads to errors in Firefox, at least. Working ajax:You need to configure your server backend to not require authorization for
OPTIONSrequests.That 401 response indicates the server is requiring authorization for an
OPTIONSrequest, but authorization is failing because the request doesn’t contain the required credentials.The reason is, that
OPTIONSrequest is sent automatically by your browser as part of CORS.https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests explains in general why browsers make CORS preflight
OPTIONSrequests, but in the specific case in the question, the reason is because the request contains theAuthorizationrequest header.So what’s happening is:
Authorizationheader.Authorizationheader require me to do a CORS preflightOPTIONSto make sure the server allows requests with theAuthorizationheader.OPTIONSrequest to the server without theAuthorizationheader, because the whole purpose of theOPTIONScheck is to see if it’s OK to include that header.OPTIONSrequest but instead of responding to it in a way that indicates it allows theAuthorizationheader in requests, it rejects it with a 401 since it lacks the header.GETrequest from your code.So you need to figure out what part of your current server-side code is causing your server to require authorization for
OPTIONSrequests, and you need to change that so that it instead handlesOPTIONSrequests without authorization being required.Once you fix that, the existing
cors.configshown in the question should cause the server to respond to theOPTIONSrequest in the right way—with anAccess-Control-Allow-Headersresponse header that includesAuthorization, so that your browser can then say, OK, this server allows cross-origin requests that contain theAuthorizationheader, so I’ll now go ahead and send the actualGETrequest.