请求标头字段访问控制 - 允许标头本身在预检响应中不允许 [英] Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response
问题描述
我已经碰到CORS问题多次,通常可以解决它,但我想真正理解从一个MEAN堆栈模式看到这一点。
I have come across CORS issues multiple times and can usually fix it but I want to really understand by seeing this from a MEAN stack paradigm.
在我的简单服务器中添加中间件来捕获这些东西之前,但是看起来像是有一些预钩子,这是错误的我的请求。
Before I simply added middleware in my express server to catch these things, but it looks like there is some kind of pre-hook that is erring out my requests.
Request header field Access-Control-Allow-Headers is not allowed by
Access-Control-Allow-Headers in preflight response
我假设我可以这样做:
I assumed that I could do this:
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Headers","*")
})
修理它。我也当然尝试了
or the equivalent but this doesn't seem to fix it. I also of course tried
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Headers","Access-Control-Allow-Headers")
})
仍然没有运气。
推荐答案
你会得到一个CORS预检。这是一个使用HTTP OPTIONS
动词的请求,并包含多个标头,其中之一是 Access-Control-Request-Headers
列出客户希望包含在请求中的标头。
When you start playing around with custom request headers you will get a CORS preflight. This is a request that uses the HTTP OPTIONS
verb and includes several headers, one of which being Access-Control-Request-Headers
listing the headers the client wants to include in the request.
您需要使用适当的CORS标头来回复CORS预检,以使其工作。其中之一确实是 Access-Control-Allow-Headers
。该标头需要包含 Access-Control-Request-Headers
标头包含的(或更多)相同的值。
You need to reply to that CORS preflight with the appropriate CORS headers to make this work. One of which is indeed Access-Control-Allow-Headers
. That header needs to contain the same values the Access-Control-Request-Headers
header contained (or more).
https://fetch.spec.whatwg.org/#http-cors-protocol 说明此设置更详细。
这篇关于请求标头字段访问控制 - 允许标头本身在预检响应中不允许的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!