Access-Control-Request-Methods的默认值 [英] Default value for Access-Control-Request-Methods
问题描述
我刚刚了解了 Access-Control-Request-Methods
标题,例如
code> Access-Control-Request-Methods:OPTIONS,HEAD,GET
使用此标题(只是 Access-Control-Request-Origin
),但我已经得到CORS过去的工作。
是否是允许所有方法,或者让我有幸运的未定义的行为? code> Access-Control-Request-Method 是由浏览器在CORS预检请求上设置的请求标头,它只能有一个值。 Access-Control-Allow-Methods
头是一个CORS响应头,它可以有多个值。我假设你询问 Access-Control-Allow-Methods
,因为这是服务器指定的值。
Access-Control-Allow-Methods
头指示在跨源请求的特定端点上允许哪些HTTP方法。如果你允许所有的HTTP方法,那么它的确定将值设置为 Access-Control-Allow-Methods:GET,PUT,POST,DEADTE,HEAD
。但是,如果你想限制端点只有几个方法,你应该只包括这些方法。
至于为什么你没有看到这个,头仅用于CORS预检请求。这可能是您的应用程序没有使用CORS preflight,然后更改为触发预检。您的应用程序是否使用GET / POST以外的任何HTTP方法或任何自定义HTTP头?
您可以在此处了解有关CORS预检请求的更多信息: http://www.html5rocks.com/en/tutorials/cors/
I just learned about the Access-Control-Request-Methods
header, e.g.
Access-Control-Request-Methods: OPTIONS, HEAD, GET
I have never used this header (just Access-Control-Request-Origin
), but I have gotten CORS to work in the past.
Is the default to allow all methods, or have I gotten lucky with undefined behavior?
Just to clarify, Access-Control-Request-Method
is a request header that is set by the browser on CORS preflight requests, and it can only have one value. The Access-Control-Allow-Methods
header is a CORS response header, and it can have multiple values. I assume you are asking about Access-Control-Allow-Methods
because this is the value the server specifies.
The Access-Control-Allow-Methods
header indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests. If you allow all HTTP methods, then its ok to set the value to something like Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
. However, if you want to limit the endpoint to only a few methods, you should only include those methods.
As to why you haven't been seeing this before, this header is only used on CORS preflight requests. It could be that your application didn't use CORS preflight, and then something changed to trigger a preflight. Does you application use any HTTP methods other than GET/POST, or any custom HTTP headers?
You can learn more about CORS preflight requests here: http://www.html5rocks.com/en/tutorials/cors/
这篇关于Access-Control-Request-Methods的默认值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!