问题描述

我正在编写一些代码来从浏览器调用 Asana API.从浏览器发出的 XDR 请求都以调用 OPTIONS 以获取 Access-Control-* 标头开始，但 Asana 服务器似乎没有响应它们:

I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:

Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
  Accept:*/*
  Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
  Accept-Encoding:gzip,deflate,sdch
  Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
  Access-Control-Request-Headers:origin, authorization, accept
  Access-Control-Request-Method:GET
  Connection:keep-alive
  Host:app.asana.com
  Origin:null
  User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11

Query String Parameters:
  opt_pretty:true
  opt_fields:name,email

Response Headers:
  Content-Length:82
  Content-Type:application/json
  Date:Sat, 12 May 2012 22:23:19 GMT
  Server:nginx/0.7.67
  ...

响应头应该包含如下内容:

Response headers should contain something like:

Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *

或者我在请求 API 时遗漏了什么?

Or is there anything that I am missing when requesting the API?

推荐答案

(我在 Asana 工作)

(I work at Asana)

Asana API 现在不返回这些标头，因为它不支持 OAuth 并且无法安全地验证来自客户端的请求.只有为经过身份验证的客户端返回这些标头才是安全的，否则该服务将受到跨站点脚本攻击.OAuth 在未来支持的功能列表中.

The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.

这篇关于ASANA API 和 Access-Control-* 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！