访问控制允许方法的默认值 [英] Default value for Access-Control-Allow-Methods

问题描述

我刚刚了解了 Access-Control-Allow-Methods 标头，例如

I just learned about the Access-Control-Allow-Methods header, e.g.

Access-Control-Allow-Methods: OPTIONS, HEAD, GET

我从来没有使用过这个标头(只是 Access-Control-Allow-Origin)，但我过去已经让 CORS 工作了.

I have never used this header (just Access-Control-Allow-Origin), but I have gotten CORS to work in the past.

是默认允许所有方法，还是因为未定义的行为而幸运?

Is the default to allow all methods, or have I gotten lucky with undefined behavior?

推荐答案

澄清一下，Access-Control-Request-Method 是浏览器在 CORS 预检请求上设置的请求标头，它只能有一个值.Access-Control-Allow-Methods 头是一个 CORS 响应头，它可以有多个值.我假设您询问的是 Access-Control-Allow-Methods 因为这是服务器指定的值.

Just to clarify, Access-Control-Request-Method is a request header that is set by the browser on CORS preflight requests, and it can only have one value. The Access-Control-Allow-Methods header is a CORS response header, and it can have multiple values. I assume you are asking about Access-Control-Allow-Methods because this is the value the server specifies.

Access-Control-Allow-Methods 标头指示在特定端点上允许哪些 HTTP 方法用于跨域请求.如果您允许所有 HTTP 方法，则可以将值设置为 Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD.但是，如果您想将端点限制为仅几个方法，则应仅包含这些方法.

The Access-Control-Allow-Methods header indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests. If you allow all HTTP methods, then its ok to set the value to something like Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD. However, if you want to limit the endpoint to only a few methods, you should only include those methods.

至于为什么您以前没有看到过这个，这个标头仅用于 CORS 预检请求.也许您的应用程序没有使用 CORS 预检，然后发生更改以触发预检.您的应用程序是否使用 GET/POST 以外的任何 HTTP 方法或任何自定义 HTTP 标头?

As to why you haven't been seeing this before, this header is only used on CORS preflight requests. Maybe your application didn't use CORS preflight, and then something changed to trigger a preflight. Does your application use any HTTP methods other than GET/POST, or any custom HTTP headers?

您可以在此处了解有关 CORS 预检请求的更多信息:http://www.html5rocks.com/zh/tutorials/cors/

You can learn more about CORS preflight requests here: http://www.html5rocks.com/en/tutorials/cors/

这篇关于访问控制允许方法的默认值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！