CORS HEADERS仅在飞行前或每次请求时出现 [英] CORS HEADERS present only on preflight or every request
问题描述
目前尚不清楚 CORS 标头(Access-Control-Allow-Origin等)应仅出现在预检请求(OPTIONS方法)上还是还在资源标题中(我正在尝试使用XHR POST )
It is not clear to me if CORS headers (Access-Control-Allow-Origin, etc) should be present only on the preflight request (OPTIONS method) or also in the resource's headers (which I'm trying to POST using XHR)
我之所以这样问,是因为我安装了一个python插件通过仅将 CORS 标头添加到 OPTIONS 方法(预检)而不处理请求的资源来处理cors,这种方法不能解决chrome和firefox上的cors问题,返回消息,例如
I'm asking this because I installed a python plugin which handles cors by only adding the CORS headers to the OPTIONS method (preflight), but not to the requested resource, this approach is NOT solving the cors issue on chrome and firefox, returning messages like
跨域请求被阻止:同源起源策略不允许读取
在[URL]的远程资源。可以通过
将资源移至同一域或启用CORS来解决此问题。
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [URL]. This can be fixed by moving the resource to the same domain or enabling CORS.
编辑:
我还在 http:// www上找到了更多信息。 html5rocks.com/en/tutorials/cors/ ,其中表示:
Access-Control-Allow-Origin(必填) -必须在所有有效的CORS响应中包含
这个标头;省略标题将导致CORS
请求失败。标头的值可以回显Origin
请求标头(如上例所示),也可以是*,以允许来自任何源的
请求。如果您希望任何站点都能访问
您的数据,则可以使用 *。但是,如果您想更好地控制
可以访问谁的数据,请在标头中使用实际值。
Access-Control-Allow-Origin (required) - This header must be included in all valid CORS responses; omitting the header will cause the CORS request to fail. The value of the header can either echo the Origin request header (as in the example above), or be a '*' to allow requests from any origin. If you’d like any site to be able to access your data, using '*' is fine. But if you’d like finer control over who can access your data, use an actual value in the header.
推荐答案
它们必须同时出现在两个响应中。
They must be present on both responses.
Step 3 of the preflight rules requires that the browser follows the normal make a request steps.
这篇关于CORS HEADERS仅在飞行前或每次请求时出现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
