helloxielan 2014-08-26 17:44 采纳率: 0%
浏览 125

IE 11,XMLHttpRequest和CORS

I'm trying to access an API service (via XMLHttpRequest/ajax) hosted on a sub-domain (ie: a client on app.samedomain.com will call out to api.samedomain.com) that requires specific headers to be set for security purposes, but I keep getting Access is denied errors. All the solutions I've found say the client/end user must add the site to the "Trusted Sites" security zone, but obviously this is not a real solution. What do I need to do to access an external site with specific headers?

Example Code:

var getUserById = function (user, callback, error) {
  $.support.cors = true; 
  var endpoint = _getApiVersion() + '/person/model/' + user.userId;
  var _headers = _setHeaders(endpoint, null, user, 'GET');
    type: 'GET',
    beforeSend: function (request)
      request.setRequestHeader("api-key", _headers['api-key']);
      request.setRequestHeader("timestamp", _headers['timestamp']);
      request.setRequestHeader("content-md5", _headers['content-md5']);
      request.setRequestHeader("content-type", _headers['content-type']);
      request.setRequestHeader("signature", _headers['signature']);
      request.setRequestHeader("Access-Control-Allow-Origin", "*");
    url: _getBaseUrl() + endpoint,
    data: null,
    contentType: 'application/json',
    dataType: 'json',
    success: callback,
    error: error

Thanks in advance,

  • 写回答

3条回答 默认 最新

  • MAO-EYE 2014-08-26 17:46

    Are you trying to get data that is not in the same domain as the requester? If that is the case the only option is to proxy the original request via a service so XMLHttpRequest has access to it.

  • weixin_33686714 2014-08-27 00:32

    "Access-Control-Allow-Origin" is a response header, not a request header. It is something that the server should send back to IE as part of the response.

    If that still doesn't work, you might want to try firing up the F12 Network tool in the IE Dev tools to see if you can get more detail into where in the process the request is failing (Ex: It might be failing on a CORS preflight OPTIONS request).

    Also, Rather than using "Access-Control-Allow-Origin: *", you should use "Access-Control-Allow-Origin:app.samedomain.com" to control which domains can access the API

    To read more about CORS, check http://www.w3.org/wiki/CORS

  • weixin_33711647 2014-08-27 21:53

    Aside from that, it feels like an order of operations thing. All this should be before the callbacks.

    type: 'GET',
    url: _getBaseUrl() + endpoint,
    data: null,
    contentType: 'application/json',
    dataType: 'json',



  • ¥15 存储过程或函数中的结果集类型变量如何使用。
  • ¥80 关于海信电视聚好看安装应用的问题
  • ¥15 vue引入sdk后的回调问题
  • ¥15 求一个智能家居控制的代码
  • ¥15 ad软件 pcb布线pcb规则约束编辑器where the object matpcb布线pcb规则约束编辑器where the object matchs怎么没有+15v只有no net
  • ¥15 虚拟机vmnet8 nat模式可以ping通主机,主机也能ping通虚拟机,但是vmnet8一直未识别怎么解决,其次诊断结果就是默认网关不可用
  • ¥20 求各位能用我能理解的话回答超级简单的一些问题
  • ¥15 yolov5双目识别输出坐标代码报错
  • ¥15 这个代码有什么语法错误
  • ¥15 给予STM32按键中断与串口通信