Internet Explorer 11 未在 CORS 请求中添加 Origin 标头? [英] Internet Explorer 11 does not add the Origin header on a CORS request?
问题描述
我的问题取决于我认为正确的几个假设.
My issue depends on a couple of assumptions I hold true.
Origin 标头是浏览器需要放在 CORS(跨源资源共享)请求上的.
The Origin header is required by the browser to be put on a CORS (Cross Origin Resource Sharing) request.
维基百科:
为了发起跨域请求,浏览器发送请求一个 Origin HTTP 标头.
To initiate a cross-origin request, a browser sends the request with an Origin HTTP header.
首先要注意的是,一个有效的 CORS 请求总是包含一个 Origin 标头.这个 Origin 头是由浏览器添加的,可以不受用户控制.
The first thing to note is that a valid CORS request always contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user.
W3:
如果请求的 URL 来源与原始 URL 不同来源,将来源来源设置为全局唯一标识符 [..].
If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier [..].
假设 nr 2:Internet Explorer 10+ 支持 CORS
请参阅 caniuse.com 并使用谷歌搜索数百个声称支持的不同类型来源.
Assumption nr 2: Internet Explorer 10+ support CORS
See caniuse.com and use google for a couple of hundreds more sources of different kinds claiming the support.
使用不同端口号的资源被认为是不同来源的:
Resources using different port numbers is considered to be of different origins:
两个资源被认为是同源的当且仅当所有这些值都完全相同.[..] 失败 - 相同的协议和主机但不同的端口.
Two resources are considered to be of the same origin if and only if all these values are exactly the same. [..] Failure - Same protocol and host but different port.
如果协议、端口(如果其中一个是指定),并且两个页面的主机相同.
Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages.
问题:
Internet Explorer 11 在向同一域localhost"发出 CORS 请求但使用不同端口(从 8411 到 8080)时不会发送 Origin 标头.Opera、FireFox 和 Chrome 会发送 Origin 标头.然而大家一直在说 Internet Explorer 10+ 支持 CORS?
The problem:
Internet Explorer 11 does not send the Origin header when making a CORS request to the same domain "localhost" but using different ports (from 8411 to 8080). Opera, FireFox and Chrome do send the Origin header. Yet everybody keeps saying CORS is supported in Internet Explorer 10+?
推荐答案
Internet Explorer 对同源"的定义与其他浏览器不同.请参阅IE 例外MDN 文档中关于同源策略的部分:
Internet Explorer's definition of the "same origin" differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy:
Internet Explorer 在同源策略方面有两个主要例外:
Internet Explorer has two major exceptions when it comes to same origin policy:
- 信任区域:如果两个域都在高度信任的区域(例如公司域)中,则不会应用相同的来源限制
- 端口: IE 没有将端口包含到同源组件中,因此 http://company.com:81/index.html 和 http://company.com/index.html 被认为是同源的,没有任何限制.
- Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin limitations are not applied
- Port: IE doesn't include port into Same Origin components, therefore http://company.com:81/index.html and http://company.com/index.html are considered from same origin and no restrictions are applied.
因此,如果您的跨域请求发生在不同的端口上,或者发生在 IE 的受信任区域之一内,则 IE 不会将该请求视为跨域请求,并且不需要添加 Origin:标题.
Therefore if your cross-origin request occurs across different ports, or within one of IE's trusted zones, IE will not treat the request as cross-origin and will see no need to add the Origin: header.
这篇关于Internet Explorer 11 未在 CORS 请求中添加 Origin 标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
