跨域资源共享 GET:“拒绝获取不安全的标头“etag""来自回应 [英] Cross Domain Resource Sharing GET: 'refused to get unsafe header "etag"' from Response

问题描述

一个没有自定义标头的简单 GET 请求.响应按预期返回.可以访问正文中的数据，但不能访问标题.

A simple GET request with no custom headers. The response is returned as expected. The data in the body is accessible, but not the headers.

当我尝试访问etag"标头时，浏览器会引发异常:

When I try to access the "etag" header, browsers raise an exception :

拒绝获取不安全的标头etag"

Refused to get unsafe header "etag"

Chrome、Safari 和 Firefox 的行为都相同.我没有在 IE 上测试过.

Chrome, Safari and Firefox all behave the same. I didn't test it on IE.

我在这里遗漏了什么?

推荐答案

使用 CORS 时只公开简单的响应头.此处定义了简单的响应标头.ETag 不是简单的响应头.如果要公开非简单的标头，则需要设置 Access-Control-Expose-Headers 标头，如下所示:

Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers header, like so:

Access-Control-Expose-Headers: ETag

但是，请注意，我注意到 Chrome、Safari 和 Firefox 中的错误会阻止非简单标头正确公开.这可能现在已经解决了，我不确定.

However, note that I've noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I'm not sure.

您不需要执行预检请求，因为只有非 GET/POST http 方法或非简单的 request 标头才需要预检(并且您正在询问 response 标题).

You shouldn't need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).

这篇关于跨域资源共享 GET:“拒绝获取不安全的标头“etag""来自回应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！