将复制"访问控制 - 允许 - 产地:*"头破CORS? [英] Will duplicate "Access-Control-Allow-Origin: *" headers break CORS?
问题描述
因此,我们有供应了JSON HTTP资源。它增加了一个
So we have an http resource that serves up JSON. It adds an
Access-Control-Allow-Origin: *
标记。因此,这可以装载CORS ... 除了的(所以我说)有一些IE9怪癖,意味着这仍然不会在IE9工作,但它会工作,如果这是一个HTTPS资源。
flag. So this can be loaded with CORS... except (so I'm told) there's some IE9 quirk that means this still won't work in IE9, but it would work if this were an https resource.
因此,我们建立了一个现有的HTTPS代理,包括这一资源。只有HTTPS的资源也增加了访问控制 - 允许 - 产地:*头,所以响应包含两个这样的标题。
So we set up an existing https proxy to include this resource. Only that https resource was ALSO adding the Access-Control-Allow-Origin: * header, so the response contains TWO such headers.
和这似乎不是在所有的工作。实验它看起来像如果我删除从内部HTTP资源的标题,被代理的版本(目前只包含一个报头)不工作。只是测试用jQuery CORS在Chrome,Firefox浏览器。
And this seems not to work at all. Experimentally it looks like if I remove the header from the "inner" http resource, the proxied version (now containing just the one header) does work. Just testing with jQuery CORS in Chrome, Firefox.
是吗?因此,所有我需要做的是(有某人)解决HTTPS代理集的标题,而不是对增加了吗?
Is that right? So all I need to do is (have somebody) fix the https proxy to "set" the header and not of "add" it?
推荐答案
在 CORS规格明确指出:
如果响应包括零个或一个以上的 访问控制 - 允许 - 产地标头值,返回失败并终止 该算法。
If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.
所以,你是正确的,你应该只有一个访问控制 - 允许 - 原产地头。
So you are correct, you should only have a single Access-Control-Allow-Origin header.
这篇关于将复制"访问控制 - 允许 - 产地:*"头破CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
