我在一个平台上对我自己的服务器进行ajax调用,他们设置阻止这些ajax调用(但我需要它从我的服务器获取数据,以显示从服务器的数据库检索到的数据)。
我的ajax脚本正在工作,它可以将数据发送到我的服务器的php脚本,以允许它处理。
然而,由于被“Access-Control-Allow-Origin”阻塞,它无法取回处理过的数据。
我无法访问该平台的源/核心。所以我不能删除脚本,它不允许我这样做。
(P/S我使用了谷歌Chrome的控制台,发现了这个错误)
Ajax代码如下所示:
$.ajax({
type: "GET",
url: "http://example.com/retrieve.php",
data: "id=" + id + "&url=" + url,
dataType: 'json',
cache: false,
success: function(data)
{
var friend = data[1];
var blog = data[2];
$('#user').html("<b>Friends: </b>"+friend+"<b><br> Blogs: </b>"+blog);
}
});
或者有一个JSON等效代码的ajax脚本上面?我认为JSON是允许的。
我希望有人能帮帮我。
把这个放在retrieve.php上面:
header('Access-Control-Allow-Origin: *');
注意,这将有效地禁用CORS保护,并使您的用户暴露在攻击之下。如果你不完全确定你需要允许所有的原点,你应该锁定一个更具体的原点:
header('Access-Control-Allow-Origin: https://www.example.com');
请参考以下堆栈回答,以更好地理解Access-Control-Allow-Origin
https://stackoverflow.com/a/10636765/413670
我已经修复了调用MVC3控制器时的这个问题。
我补充说:
Response.AddHeader("Access-Control-Allow-Origin", "*");
在我
return Json(model, JsonRequestBehavior.AllowGet);
还有我的$。ajax抱怨它不接受内容类型的头在我的ajax调用,所以我注释了它,因为我知道它的JSON被传递到动作。
希望这能有所帮助。
警告,Chrome(和其他浏览器)将抱怨,多个ACAO头设置,如果你遵循一些其他答案。
错误将是XMLHttpRequest无法加载____。'Access-Control-Allow-Origin'头包含多个值'____,____,____',但只允许一个。因此,来源“____”不允许访问。
试试这个:
$http_origin = $_SERVER['HTTP_ORIGIN'];
$allowed_domains = array(
'http://domain1.com',
'http://domain2.com',
);
if (in_array($http_origin, $allowed_domains))
{
header("Access-Control-Allow-Origin: $http_origin");
}
It's a really bad idea to use *, which leaves you wide open to cross site scripting. You basically want your own domain all of the time, scoped to your current SSL settings, and optionally additional domains. You also want them all to be sent as one header. The following will always authorize your own domain in the same SSL scope as the current page, and can optionally also include any number of additional domains. It will send them all as one header, and overwrite the previous one(s) if something else already sent them to avoid any chance of the browser grumbling about multiple access control headers being sent.
class CorsAccessControl
{
private $allowed = array();
/**
* Always adds your own domain with the current ssl settings.
*/
public function __construct()
{
// Add your own domain, with respect to the current SSL settings.
$this->allowed[] = 'http'
. ( ( array_key_exists( 'HTTPS', $_SERVER )
&& $_SERVER['HTTPS']
&& strtolower( $_SERVER['HTTPS'] ) !== 'off' )
? 's'
: null )
. '://' . $_SERVER['HTTP_HOST'];
}
/**
* Optionally add additional domains. Each is only added one time.
*/
public function add($domain)
{
if ( !in_array( $domain, $this->allowed )
{
$this->allowed[] = $domain;
}
/**
* Send 'em all as one header so no browsers grumble about it.
*/
public function send()
{
$domains = implode( ', ', $this->allowed );
header( 'Access-Control-Allow-Origin: ' . $domains, true ); // We want to send them all as one shot, so replace should be true here.
}
}
用法:
$cors = new CorsAccessControl();
// If you are only authorizing your own domain:
$cors->send();
// If you are authorizing multiple domains:
foreach ($domains as $domain)
{
$cors->add($domain);
}
$cors->send();
你懂的。
