CORS飞行前响应包括Vary:Origin和Access-Control-Max-Age? [英] CORS Preflight response includes Vary:Origin and Access-Control-Max-Age?
问题描述
我想知道浏览器如何处理包含 Vary:Origin 和 Access-Control-Max-Age 标头的CORS Preflight响应。
I would like to know how browsers handle CORS Preflight response that includes both Vary: Origin and Access-Control-Max-Age headers.
此语句来自 https://www.w3.org/TR / cors /
希望使自己与多个
来源共享但资源响应不一致的资源实际上,带有 *的
必须在
响应他们希望允许的每个请求时,动态生成Access-Control-Allow-Origin标头。因此,这些资源的
作者应发送一个Vary:Origin HTTP标头或
提供其他适当的控制指令,以防止缓存这种
这样的响应,这可能如果跨域重复使用,将是不正确的
Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins
根据此语句,我理解 Vary:Origin 会告诉浏览器阻止缓存预检响应(如果allow-origin:*未使用)
From this statement I understand Vary: Origin will tell browsers prevent a cache of Preflight response (In case allow-origin: * not used)
Access-Control-Max-Age 会告诉浏览器
问题:
-
在预检响应中是否同时存在两个标头是否有效?
Is it valid if both of the headers exist in a preflight response?
如果响应中包含两个标头,浏览器如何处理预检响应?标头?
How browsers handle Preflight response if the response includes both that headers?
谢谢!
推荐答案
按照规范要求 Vary:Origin 不会影响 CORS预检缓存。
Per the spec requirements Vary: Origin won’t affect the behavior of the CORS-preflight cache.
在预检响应中是否同时存在两个标头是否有效?
Is it valid if both of the headers exist in a preflight response?
是有效的。但是,如果存在 Var 标头,则不会对CORS预检缓存产生影响。
Yes it’s valid. But if the Vary header is present, it has no affect on the CORS-preflight cache.
如果响应包含两个标头,浏览器如何处理预检响应
How browsers handle Preflight response if the response includes both that headers
对于CORS预检缓存,浏览器完全忽略 Vary 标头,并且仅使用 Access-Control-Max-Age 标头的值。
For the CORS-preflight cache, browsers completely ignore the Vary header and only use the value of the Access-Control-Max-Age header.
我了解的是变化:起源会告诉浏览器不会缓存预检结果
my understand is Vary: Origin will tell browsers won't cache preflight result
这不是要求
CORS-preflight缓存不是HTTP规范要求所涵盖的常规HTTP缓存。这是一个特殊的缓存,其行为完全由Fetch规范定义。而且Fetch规范没有声明任何有关CORS预检缓存的行为的要求(甚至是间接的),该要求完全受 Vary 响应标头的影响。
The CORS-preflight cache isn’t a general HTTP cache covered by requirements in the HTTP spec. It’s a special cache whose behavior is defined exclusively by the Fetch spec. And the Fetch spec doesn’t state any requirements—even indirectly—about the behavior of the CORS-preflight cache being affected at all by the Vary response header.
相反, Fetch规范就是这样:
让 max-age 是提取给定
Access-Control-Max-的标题列表值的结果年龄和响应的标题列表。
Let max-age be the result of extracting header list values given
Access-Control-Max-Ageand response’s header list.
设置 max-age 之前 Var 标头的值。
而且因为规范未明确在决定是否填充CORS预检缓存时,说明是否/如何使用 Vary ,然后浏览器一定不要使用 Vary 。
And because the spec doesn’t explicitly state if/how to use Vary when deciding whether to populate the CORS-preflight cache, then browsers must not use Vary when doing it.
如果浏览器在处理CORS预检缓存时确实使用了 Vary ,那么该浏览器将退出conf符合CORS预检缓存的规范要求。
If a browser did use Vary in its handling of the CORS-preflight cache, then that browser would be out of conformance with the spec requirements for the CORS-preflight cache.
这篇关于CORS飞行前响应包括Vary:Origin和Access-Control-Max-Age?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
