CORS和Access-Control-Allow-Headers如何工作？ [英] How do CORS and Access-Control-Allow-Headers work?

问题描述

我正在尝试将CORS请求从domain.com发布到a.domain.com。

我的JavaScript看起来像这样

  $（'＃fileupload' ）.fileupload（{
 xhrFields：{
 withCredentials：true 
}，
 dataType：'json'，
 url：$（'＃fileupload'）。data （'path'），
 singleFileUploads：true，
 add：function（e，data）{
 data.submit（）; 
} 
} 
  

一开始我看到OPTIONS路由被这样调用：

 请求网址：https://a.domain.com/some/route 
请求方法：选项
状态代码：200 OK 
  

选项请求：

 访问控制请求标头：origin，content-type，accept 
访问控制请求方法：POST 
主机：a.domain.com 
原产地：http：//domain.com：3000 
 Referer：http：//domain.com：3000 / home 
  

OPTIONS RESPONSE

  Access-Control-凭证：true 
 Access-Control-Allow-Methods：POST 
 Access-Control-Allow-Origin：http：//domain.com：3000 
 Connection：keep-alive 
 Content-Length：0 
 Content-Type：text / html; charset = utf-8 
  

该请求返回一个200如所述。在我的服务器上，我有相同的路由与 POST 方法，这是我得到的回报后 OPTIONS / p>

 请求网址：https：//a.domain.com/some/route 
  
 
 
 
  POST REQUEST  
  Content-Type：multipart / form-data; boundary = ---- WebKitFormBoundaryjwr5Pk7WBcfzMdbO 
原产地：http：//domain.com：3000 
 Referer：http：//domain.com：3000 / home 
  
并且 POST 请求被取消/失败。 
 
 
 
我的问题是，我需要在POST控制器上具有access-control-allow-origin吗？ 
 
 
 
我有一个具有域 .domain.com 的Cookie，可以在请求中发送过一次并且不会立即发送。任何想法为什么会发生？ 
解决方案
是的，您需要有 Access-Control-Allow-Origin：http： /domain.com:3000 或 Access-Control-Allow-Origin：* 。您应该在POST响应中包含标头 Access-Control-Allow-Credentials：true 。
 
 
 
 OPTIONS响应还应包含标头 Access-Control-Allow-Headers：origin，content-type，accept 以匹配所请求的标头。
 
I'm trying to make  CORS request POST from domain.com to a.domain.com. 

My javascript looks like this
$('#fileupload').fileupload({
  xhrFields: {
    withCredentials: true
  },
  dataType: 'json',
  url: $('#fileupload').data('path'),
  singleFileUploads: true,
  add: function(e, data){
    data.submit();
  }
});
At first I see the OPTIONS route being called like so:
Request URL: https://a.domain.com/some/route
Request Method:OPTIONS
Status Code:200 OK
OPTIONS REQUEST:    
Access-Control-Request-Headers:origin, content-type, accept
Access-Control-Request-Method:POST
Host:a.domain.com
Origin:http://domain.com:3000
Referer:http://domain.com:3000/home
OPTIONS RESPONSE    
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:http://domain.com:3000
Connection:keep-alive
Content-Length:0
Content-Type:text/html;charset=utf-8
That request comes back with a 200 like stated. On my server, I have the same route with POST method and this is what I get in return after the OPTIONS
Request URL:https://a.domain.com/some/route
POST REQUEST
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryjwr5Pk7WBcfzMdbO
Origin:http://domain.com:3000
Referer:http://domain.com:3000/home
and the POST request gets canceled/fails. 

My question is, do I need to have the access-control-allow-origin on the POST controller as well? 

I have a cookie for authorization that has domain .domain.com that cookie got sent across once in a request and it's not being sent now. Any idea why that would happen? 
解决方案
Yes, you need to have the header Access-Control-Allow-Origin: http://domain.com:3000 or Access-Control-Allow-Origin: * on both the OPTIONS response and the POST response. You should include the header Access-Control-Allow-Credentials: true on the POST response as well.

Your OPTIONS response should also include the header Access-Control-Allow-Headers: origin, content-type, accept to match the requested header.

                        
这篇关于CORS和Access-Control-Allow-Headers如何工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！