为什么会发送 OPTIONS 请求,我可以禁用它吗? [英] Why is an OPTIONS request sent and can I disable it?
问题描述
我正在构建一个 Web API.我发现每当我使用 Chrome 来 POST、GET 到我的 API 时,总会在真正的请求之前发送一个 OPTIONS 请求,这很烦人.目前,我让服务器忽略任何 OPTIONS 请求.现在我的问题是发送 OPTIONS 请求以使服务器负载加倍有什么好处?有什么办法可以完全阻止浏览器发送OPTIONS请求?
edit 2018-09-13:在此末尾添加了有关此飞行前请求的一些精确性以及如何避免它回复.
OPTIONS 请求就是我们在跨域资源共享 (CORS) 中所说的 pre-flight 请求.
当您在特定情况下跨不同来源提出请求时,它们是必要的.
此预检请求是由某些浏览器发出的,作为一种安全措施,以确保正在执行的请求受到服务器的信任.这意味着服务器了解在请求上发送的方法、来源和标头是安全的.
当您尝试执行跨源请求时,您的服务器不应忽略而是处理这些请求.
可以在此处找到一个很好的资源 :
<块引用>有些请求不会触发 CORS 预检.这些在本文中称为简单请求",尽管 Fetch 规范(定义 CORS)没有使用该术语.不触发 CORS 预检的请求——所谓的简单请求"——是满足以下所有条件的请求:
唯一允许的方法是:
- 获取
- 头部
- 发布
除了由用户代理自动设置的标头(例如,Connection、User-Agent 或任何在 Fetch 规范中定义为禁止标头名称"的其他标头),唯一的标头是允许手动设置的是 Fetch 规范定义为CORS-safelisted request-header"的那些,它们是:
- 接受
- 接受语言
- 内容语言
- 内容类型(但请注意以下附加要求)
- DPR
- 下行链接
- 保存数据
- 视口宽度
- 宽度
Content-Type 标头的唯一允许值是:
- application/x-www-form-urlencoded
- multipart/form-data
- 文本/纯文本
没有在请求中使用的任何 XMLHttpRequestUpload 对象上注册事件侦听器;这些是使用 XMLHttpRequest.upload 属性访问的.
请求中没有使用 ReadableStream 对象.
I am building a web API. I found whenever I use Chrome to POST, GET to my API, there is always an OPTIONS request sent before the real request, which is quite annoying. Currently, I get the server to ignore any OPTIONS requests. Now my question is what's good to send an OPTIONS request to double the server's load? Is there any way to completely stop the browser from sending OPTIONS requests?
edit 2018-09-13: added some precisions about this pre-flight request and how to avoid it at the end of this reponse.
OPTIONS requests are what we call pre-flight requests in Cross-origin resource sharing (CORS).
They are necessary when you're making requests across different origins in specific situations.
This pre-flight request is made by some browsers as a safety measure to ensure that the request being done is trusted by the server. Meaning the server understands that the method, origin and headers being sent on the request are safe to act upon.
Your server should not ignore but handle these requests whenever you're attempting to do cross origin requests.
A good resource can be found here http://enable-cors.org/
A way to handle these to get comfortable is to ensure that for any path with OPTIONS method the server sends a response with this header
Access-Control-Allow-Origin: *
This will tell the browser that the server is willing to answer requests from any origin.
For more information on how to add CORS support to your server see the following flowchart
http://www.html5rocks.com/static/images/cors_server_flowchart.png
edit 2018-09-13
CORS OPTIONS request is triggered only in somes cases, as explained in MDN docs:
Some requests don’t trigger a CORS preflight. Those are called "simple requests" in this article, though the Fetch spec (which defines CORS) doesn’t use that term. A request that doesn’t trigger a CORS preflight—a so-called "simple request"—is one that meets all the following conditions:
The only allowed methods are:
- GET
- HEAD
- POST
Apart from the headers set automatically by the user agent (for example, Connection, User-Agent, or any of the other headers with names defined in the Fetch spec as a "forbidden header name"), the only headers which are allowed to be manually set are those which the Fetch spec defines as being a "CORS-safelisted request-header", which are:
- Accept
- Accept-Language
- Content-Language
- Content-Type (but note the additional requirements below)
- DPR
- Downlink
- Save-Data
- Viewport-Width
- Width
The only allowed values for the Content-Type header are:
- application/x-www-form-urlencoded
- multipart/form-data
- text/plain
No event listeners are registered on any XMLHttpRequestUpload object used in the request; these are accessed using the XMLHttpRequest.upload property.
No ReadableStream object is used in the request.
这篇关于为什么会发送 OPTIONS 请求,我可以禁用它吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
