問題描述

我正在嘗試將 XMLHttpRequest 發送到粘貼站點.我正在發送一個包含 api 需要的所有字段的對象，但我一直遇到這個問題.我已經閱讀了這個問題，我想:

I'm attempting to send a XMLHttpRequest to a paste site. I'm sending an object containing all the fields that the api requires, but I keep getting this issue. I have read over the issue, and I thought:

httpReq.setRequestHeader('Access-Control-Allow-Headers', '*');

會修復它，但它沒有.有沒有人有關于這個錯誤的任何信息和/或我如何解決它?

Would fix it,but it didn't. Does anyone have any information on this error and/or how I can fix it?

這是我的代碼:

(function () {

    'use strict';

    var httpReq = new XMLHttpRequest();
    var url = 'http://paste.ee/api';
    var fields = 'key=public&description=test&paste=this is a test paste&format=JSON';
    var fields2 = {key: 'public', description: 'test', paste: 'this is a test paste', format: 'JSON'};

    httpReq.open('POST', url, true);
    console.log('good');

    httpReq.setRequestHeader('Access-Control-Allow-Headers', '*');
    httpReq.setRequestHeader('Content-type', 'application/ecmascript');
    httpReq.setRequestHeader('Access-Control-Allow-Origin', '*');
    console.log('ok');

    httpReq.onreadystatechange = function () {
        console.log('test');
        if (httpReq.readyState === 4 && httpReq.status === 'success') {
            console.log('test');
            alert(httpReq.responseText);
        }
    };

    httpReq.send(fields2);

}());

這是確切的控制臺輸出:

And here is the exact console output:

good
ok
Failed to load resource: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:40217' is therefore not allowed access. http://paste.ee/api
XMLHttpRequest cannot load http://paste.ee/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:40217' is therefore not allowed access. index.html:1
test

這是我在常規 Chromium 瀏覽器上本地測試時的控制臺輸出:

Here is the console output when I test it locally on a regular Chromium browser:

good
ok
XMLHttpRequest cannot load http://paste.ee/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. index.html:1
test

推薦答案

我認為你錯過了訪問控制這一點.

I think you've missed the point of access control.

快速回顧一下 CORS 存在的原因:由于來自網站的 JS 代碼可以執行 XHR，因此該網站可能會向其他網站發送請求，偽裝成您并利用 那些網站對您的信任(例如，如果您已登錄，惡意站點可能會嘗試提取信息或執行您從未想要的操作) - 這稱為 CSRF 攻擊.為了防止這種情況發生，網絡瀏覽器對您可以發送的 XHR 有非常嚴格的限制——您通常僅限于您的域，等等.

A quick recap on why CORS exists: Since JS code from a website can execute XHR, that site could potentially send requests to other sites, masquerading as you and exploiting the trust those sites have in you(e.g. if you have logged in, a malicious site could attempt to extract information or execute actions you never wanted) - this is called a CSRF attack. To prevent that, web browsers have very stringent limitations on what XHR you can send - you are generally limited to just your domain, and so on.

現在，有時網站允許其他網站與其聯系很有用 - 提供 API 或服務的網站(例如您嘗試訪問的網站)將是主要候選者.開發 CORS 是為了允許站點 A(例如 paste.ee)說我信任站點 B，因此您可以將 XHR 從它發送給我".這是由站點 A 在其響應中發送Access-Control-Allow-Origin"標頭指定的.

Now, sometimes it's useful for a site to allow other sites to contact it - sites that provide APIs or services, like the one you're trying to access, would be prime candidates. CORS was developed to allow site A(e.g. paste.ee) to say "I trust site B, so you can send XHR from it to me". This is specified by site A sending "Access-Control-Allow-Origin" headers in its responses.

在您的具體情況下，似乎 paste.ee 并不費心使用 CORS.如果您想在瀏覽器腳本中使用 paste.ee，最好的辦法是聯系網站所有者并找出原因.或者，您可以嘗試使用擴展程序(應該具有更高的 XHR 權限).

In your specific case, it seems that paste.ee doesn't bother to use CORS. Your best bet is to contact the site owner and find out why, if you want to use paste.ee with a browser script. Alternatively, you could try using an extension(those should have higher XHR privileges).

這篇關于JavaScript - XMLHttpRequest、Access-Control-Allow-Origin 錯誤的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！