bubblev
/
swagger-ui
4
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3840 提交
2 分支
306 MiB
目錄樹: 32ab8b3ce8
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '32ab8b3ce8'
${ noResults }
swagger-ui/docs/usage/cors.md

cors.md 2.7 KiB
原始文件 Normal View 歷史記錄

Move OAuth2 docs
6 年之前
Move CORS documentation
6 年之前
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. # CORS

  2. 

  3. CORS is a technique to prevent websites from doing bad things with your personal data.  Most browsers + JavaScript toolkits not only support CORS but enforce it, which has implications for your API server which supports Swagger.

  4. 

  5. You can read about CORS here: http://www.w3.org/TR/cors.

  6. 

  7. There are two cases where no action is needed for CORS support:

  8. 

  9. 1. swagger-ui is hosted on the same server as the application itself (same host *and* port).

  10. 2. The application is located behind a proxy that enables the required CORS headers. This may already be covered within your organization.

  11. 

  12. Otherwise, CORS support needs to be enabled for:

  13. 

  14. 1. Your Swagger docs. For Swagger 2.0 it's the `swagger.json`/`swagger.yaml` and any externally `$ref`ed docs.

  15. 2. For the `Try it now` button to work, CORS needs to be enabled on your API endpoints as well.

  16. 

  17. ### Testing CORS Support

  18. 

  19. You can verify CORS support with one of three techniques:

  20. 

  21. - Curl your API and inspect the headers.  For instance:

  22. 

  23. ```bash

  24. $ curl -I "http://petstore.swagger.io/v2/swagger.json"

  25. HTTP/1.1 200 OK

  26. Date: Sat, 31 Jan 2015 23:05:44 GMT

  27. Access-Control-Allow-Origin: *

  28. Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, OPTIONS

  29. Access-Control-Allow-Headers: Content-Type, api_key, Authorization

  30. Content-Type: application/json

  31. Content-Length: 0

  32. ```

  33. 

  34. This tells us that the petstore resource listing supports OPTIONS, and the following headers:  `Content-Type`, `api_key`, `Authorization`.

  35. 

  36. - Try swagger-ui from your file system and look at the debug console.  If CORS is not enabled, you'll see something like this:

  37. 

  38. ```

  39. XMLHttpRequest cannot load http://sad.server.com/v2/api-docs. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

  40. ```

  41. 

  42. Swagger-UI cannot easily show this error state.

  43. 

  44. - Using the http://www.test-cors.org website. Keep in mind this will show a successful result even if `Access-Control-Allow-Headers` is not available, which is still required for Swagger-UI to function properly.

  45. 

  46. ### Enabling CORS

  47. 

  48. The method of enabling CORS depends on the server and/or framework you use to host your application. http://enable-cors.org provides information on how to enable CORS in some common web servers.

  49. 

  50. Other servers/frameworks may provide you information on how to enable it specifically in their use case.

  51. 

  52. ### CORS and Header Parameters

  53. 

  54. Swagger lets you easily send headers as parameters to requests.  The name of these headers *MUST* be supported in your CORS configuration as well.  From our example above:

  55. 

  56. ```

  57. Access-Control-Allow-Headers: Content-Type, api_key, Authorization

  58. ```

  59. 

  60. Only headers with these names will be allowed to be sent by Swagger-UI.