Access-Control-Allow-Methods不允许DELETE
我正在尝试使用jQuery从Chrome发送跨源DELETE请求。
但是,如果在开发人员控制台中记录以下错误消息,则会失败:
XMLHttpRequest无法加载
http://actual/url/here。 Access-Control-Allow-Methods不允许使用DELETE方法。
javascript代码在localhost上运行,如下所示:
$.ajax({ type: "DELETE", url: "http://actual/url/here", xhrFields: { withCredentials: true } });
这会导致发送此类飞行前请求:
OPTIONS http://actual/url/here HTTP/1.1 Host: actual Connection: keep-alive Access-Control-Request-Method: DELETE Origin: null User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 Access-Control-Request-Headers: accept Accept: */* Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8
响应看起来像这样:
HTTP/1.1 200 OK Cache-Control: must-revalidate, private Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE Access-Control-Allow-Headers: accept Access-Control-Max-Age: 900 Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true Date: Wed, 11 Mar 2015 15:03:46 GMT
据我所知,这很好。 客户端通过发送Access-Control-Request-Method: DELETE检查是否允许Access-Control-Request-Method: DELETE ,并且服务器通过Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE响应来表示允许它Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE 。
但是,不会发送任何DELETE请求,而是报告错误消息(上面)。 为什么?
Access-Control-Allow-Methods的值必须是以逗号分隔的列表,而不是以空格分隔的列表。
来自MDN :
Access-Control-Allow-Methods:[, ]*