发表新帖
发表新帖

Cross domain POST query using Cross-Origin Resource Sharing getting no data back

后端 未结
关注
4 1297
独厮守ぢ
独厮守ぢ 2020-12-08 12:09

I\'m sending data cross domain via a POST request but the response isn\'t working, specifically, jQuery\'s success handler never gets called.

Stuff being used: Djang

4条回答
  • 醉梦人生
    醉梦人生 (楼主)
    2020-12-08 13:05

    Ok, so I believe the correct way to do things is this:

    if request.method == "POST":
    response = HttpResponse(simplejson.dumps(data),mimetype='application/json')
    response['Access-Control-Allow-Origin'] = "*"
    return response
elif request.method == "OPTIONS":
    response = HttpResponse("")
    response['Access-Control-Allow-Origin'] = "*"
    response['Access-Control-Allow-Methods'] = "POST, OPTIONS"
    response['Access-Control-Allow-Headers'] = "X-Requested-With"
    response['Access-Control-Max-Age'] = "1800"
else:
    return HttpResponseBadRequest()

    This is based on the documentation I dug up from Mozilla on preflighted requests.

    So, what I believe will happen is this:

    1. If there's nothing in the preflight cache, OPTIONS is sent with X-Requested-With set to XMLHttpRequest I believe this is necessary to allow Javascript access to anything, along with an Origin header.
    2. The server can examine that information. That is the security of CORS. In my case, I'm responding with "any origin will do" and "you're allowed to send the X-Requested-With thing". I'm saying that OPTIONS and POST are allowed and that this response should be cached for 30 mins.
    3. The client then goes ahead and makes the POST, which was working before.
    4. I modified the response originally to include Allow-Methods and Allow-Headers but according to the exchange in the above linked documentation this isn't needed. This makes sense, the access check has already been done.
    5. I believe then that what happens is the resource sharing check described here. Basically, once said request has been made, the browser again checks the Allow-Origin field for validity, this being on the request such as POST. If this passes, the client can have access to the data, if not, the request has already completed but the browser denies the actual client side application (Javascript) access to that data.

    I believe that is a correct summary of what is going on and in any case it appears to work. If I'm not right, please shout.

    0 讨论(0)
 看不清?
提交回复
热议问题