Cross domain POST query using Cross-Origin Resource Sharing getting no data back
I\'m sending data cross domain via a POST request but the response isn\'t working, specifically, jQuery\'s success handler never gets called.
Stuff being used: Djang
-
I don't think this is possible for security reasons. The only cross domain ajax calls which browsers allow, can be done using JSONP and these are exclusively GET requests.
This will work:
$.ajax({ url: "http://somesite.com/someplace", type: "GET", cache: false, dataType: "JSONP", data: { ... }, success: function( msg ) { alert(msg); }, });This won't:
$.ajax({ url: "http://somesite.com/someplace", type: "POST", cache: false, dataType: "JSONP", data: { ... }, success: function( msg ) { alert(msg); }, });讨论(0) -
For any future searchers who may come across this posting, the following resource is the W3C 2008 working-draft which discusses CORS in-depth.
http://www.w3.org/TR/2008/WD-access-control-20080912/
As of the time of this posting, it should be noted that Chromium specifically, and probably all of WebKit has a bug which prevents the
Access-Control-Max-Ageheader's value from being honored. Details on this can be found on the discussion page for Chromium Issue 131368. In summary - as of now, WebKit-based browsers will override whatever the server returns as a value here with600(10 minutes).讨论(0) -
REQUEST:
$.ajax({ url: "http://localhost:8079/students/add/", type: "POST", crossDomain: true, data: JSON.stringify(somejson), dataType: "json", success: function (response) { var resp = JSON.parse(response) alert(resp.status); }, error: function (xhr, status) { alert("error"); } });RESPONSE:
response = HttpResponse(json.dumps('{"status" : "success"}')) response.__setitem__("Content-type", "application/json") response.__setitem__("Access-Control-Allow-Origin", "*") return response讨论(0) -
Ok, so I believe the correct way to do things is this:
if request.method == "POST": response = HttpResponse(simplejson.dumps(data),mimetype='application/json') response['Access-Control-Allow-Origin'] = "*" return response elif request.method == "OPTIONS": response = HttpResponse("") response['Access-Control-Allow-Origin'] = "*" response['Access-Control-Allow-Methods'] = "POST, OPTIONS" response['Access-Control-Allow-Headers'] = "X-Requested-With" response['Access-Control-Max-Age'] = "1800" else: return HttpResponseBadRequest()This is based on the documentation I dug up from Mozilla on preflighted requests.
So, what I believe will happen is this:
- If there's nothing in the preflight cache,
OPTIONSis sent withX-Requested-Withset toXMLHttpRequestI believe this is necessary to allow Javascript access to anything, along with anOriginheader. - The server can examine that information. That is the security of CORS. In my case, I'm responding with "any origin will do" and "you're allowed to send the
X-Requested-Withthing". I'm saying thatOPTIONSandPOSTare allowed and that this response should be cached for 30 mins. - The client then goes ahead and makes the POST, which was working before.
- I modified the response originally to include
Allow-MethodsandAllow-Headersbut according to the exchange in the above linked documentation this isn't needed. This makes sense, the access check has already been done. - I believe then that what happens is the resource sharing check described here. Basically, once said request has been made, the browser again checks the
Allow-Originfield for validity, this being on the request such asPOST. If this passes, the client can have access to the data, if not, the request has already completed but the browser denies the actual client side application (Javascript) access to that data.
I believe that is a correct summary of what is going on and in any case it appears to work. If I'm not right, please shout.
讨论(0) - If there's nothing in the preflight cache,
加载中...
- 热议问题