在执行预检请求时是否需要Access-Control-Allow-Origin CORS头? [英] Is the Access-Control-Allow-Origin CORS header required when doing a preflight request?
问题描述
我们在网站上看到的CORS错误:
We are seeing the well-known CORS error on our site:
XMLHttpRequest无法加载 https://my-site.com/api 。在所请求的资源上没有Access-Control-Allow-Origin头。原因 https://my-other-site.com 因此不允许访问。
XMLHttpRequest cannot load https://my-site.com/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://my-other-site.com' is therefore not allowed access.
事实是, Access-Control-Allow-Origin / em>在预检请求上正确设置...
The thing is, the Access-Control-Allow-Origin is set correctly on the preflight request...
OPTIONS https://my-site.com/api HTTP/1.1
Host: my-site.com
Access-Control-Request-Method: POST
Origin: https://my-other-site.com
Access-Control-Request-Headers: my-custom-header, accept, content-type
Accept: */*
Referer: https://my-other-site.com/
...other stuff...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://my-other-site.com
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: my-custom-header, accept, content-type
Access-Control-Expose-Headers: my-custom-header
...other stuff...
POST https://my-site.com/api HTTP/1.1
Host: my-site.com
Accept: */*
My-Custom-Header: abcd123
Origin: https://my-other-site.com
Referer: https://my-other-site.com/
...other stuff...
HTTP/1.1 200 OK
My-Custom-Header: abcd123
...other stuff...
我不明白这个问题。根据我在线阅读的 ,如果我们使用预检请求,我们不需要为实际请求添加CORS标头。
I don't understand the problem. According to everything I've read online, if we use a preflight request, we shouldn't need to add CORS headers for the actual request. However, that's clearly not the case.
所有示例此处和此处包括实际响应中的 Access-Control-Allow-Origin 标头,但不包括任何其他必填的 CORS标头。当我们将一个标题添加到实际响应中时,错误消失。
All of the examples here and here include an Access-Control-Allow-Origin header in the actual response, but don't include any of the other "required" CORS headers. When we add that one header to our actual response, the error goes away.
是两个请求中实际需要的 Access-Control-Allow-Origin 标头?
So my question is, is the Access-Control-Allow-Origin header actually required in both requests? Where is that stated? And why is that true?
推荐答案
是的,两个响应都应包含必要的CORS标头。
Yes, it appears both responses should include the necessary CORS headers.
在简单跨原始请求和带有预检的跨原始请求,实际请求遵循相同的行为,检查CORS标头,无论预检(分别为步骤1和步骤3)。
In both the Simple Cross-Origin Request and the Cross-Origin Request with Preflight, the "actual request" follows the same behavior, checking for CORS headers regardless of the preflight (step 1 and step 3, respectively).
-
[...]应用进行请求步骤,并在提出请求时遵守以下请求规则。
[...] Apply the make a request steps and observe the request rules below while making the request.
-
...(snipped:3xx代码,中止和网络错误)
... (snipped: 3xx codes, aborts, and network errors)
strong>否则
Otherwise
执行资源共享检查。 [...]
b
$ b
给定资源的资源共享检查算法如下:
-
如果响应中包含零个或多个
Access-Control-Allow-Origin标题值,返回失败并终止此算法。
If the response includes zero or more than one
Access-Control-Allow-Originheader values, return fail and terminate this algorithm.
[...]
预检请求仅阻止实际请求开始。
The preflight request only prevents the "actual request" from beginning.
这篇关于在执行预检请求时是否需要Access-Control-Allow-Origin CORS头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
