跨源资源共享(CORS)是否区分HTTP和HTTPS? [英] Does Cross-Origin Resource Sharing(CORS) differentiate between HTTP AND HTTPS?
问题描述
我有两个网站:https:// www.domain-only-uses-https.com和www.domain-uses-both-http-and-https.com
现在我在前一页的页面中发出2个ajax GET请求,一个是
https: //www.domain-uses-both-http-and-https.com/some-path(使用HTTPS方案)
,另一个是
http://www.domain-uses-both-http-and -https.com/some-other-path(使用HTTP方案)
https //:www.domain-only-uses-https.com作为服务器www.domain-uses-both-http-and-https中的Access-Control-Allow-Origin:标头的值。 com。
但现在似乎Chrome只允许请求1,但禁止请求2。
所以我的问题是:Access-Control-Allow-Origin头是否区分HTTP和HTTPS?
希望我已清除了。
是,HTTP和HTTPS
是主机名,端口的组合,和方案。 http://foo.example.com:8080/
^^^^ ^^^^^^^^^^^^^^^^^^^
|| || ||
scheme hostname port
如果不是所有这些字段在两个资源之间匹配,来自不同的起源。因此,您必须明确指定是使用HTTP方案从源代码访问资源还是使用HTTPS方案访问源代码。
某些浏览器只允许 Access-Control-Allow-Origin
头只包含与每个响应一起发送的一个源(或 *
);但是,您的服务器可以检测请求的 Origin
头,并在CORS响应中发送相同的源。
I have two sites : https//:www.domain-only-uses-https.com and www.domain-uses-both-http-and-https.com
Now I am making 2 ajax GET requests in the page of the former to the later, one is
https://www.domain-uses-both-http-and-https.com/some-path (using the HTTPS scheme)
and the other one is
http://www.domain-uses-both-http-and-https.com/some-other-path (using the HTTP scheme)
And I DID set the "https//:www.domain-only-uses-https.com" as the value of "Access-Control-Allow-Origin:" header in the server "www.domain-uses-both-http-and-https.com ".
But now it seems that only request 1 is allowed by Chrome ,but request 2 is forbidden.
So my question is : does the "Access-Control-Allow-Origin" header differentiate between HTTP AND HTTPS? Hope I've made myself clear..
Yes, HTTP and HTTPS origins are different.
An origin is a combination of hostname, port, and scheme.
http://foo.example.com:8080/
^^^^ ^^^^^^^^^^^^^^^ ^^^^
|| || ||
scheme hostname port
If not all of these fields match between two resources, then the resources are from different origins. Thus, you must expressly specify whether the resource is accessible from the origin with an HTTP scheme or the origin with an HTTPS scheme.
Some browsers only allow the Access-Control-Allow-Origin
header to contain exactly one origin (or *
) sent with each response; however, your server can detect the request's Origin
header and send the same origin in the CORS response.
这篇关于跨源资源共享(CORS)是否区分HTTP和HTTPS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!