为什么发送多个OPTIONS请求,即使Access-Control-Allow-Origin设置为*? [英] Why multiple OPTIONS request are sent, even if Access-Control-Allow-Origin is set to *?
问题描述
我已经建立了一个API(api.example.com),并希望从www.example.com存取。
我也想从其他网域存取。
为此,我已添加Access-Control-Allow-Origin:*
但是当我打开www.example.com时,在所有api请求之前发送预检请求(OPTIONS请求)
如何停止多个预检请求?我认为应该只有一个预检请求,我做错了! ?或者是自然的,浏览器必须在每次通话前发送预检请求?
注意:我不想使用JSONP,因为我可以公开访问Access-Control-Allow-Origin:*
选项调用头
接受:* / *
接受编码:gzip,deflate,sdch
Accept-Language:en-US,en; q = 0.8
访问控制请求头:接受,授权
访问控制请求方法:GET
AlexaToolbar-ALX_NS_PH :AlexaToolbar / alxg-3.2
连接:keep-alive
主机:api.touchtalent.biz
原产地:http://www.example.com
Referer:http: /www.example.com/artist/52894/pratim-relekar
User-Agent:Mozilla / 5.0(Macintosh; Intel Mac OS X 10_9_3)AppleWebKit / 537.36(KHTML,如Gecko)Chrome / 35.0.1916.114 Safari / 537.36
选项呼叫回应
Access-Control-Allow-Headers:origin,x-requested-with,content-type,Authorization
Access-Control-Allow-Methods:PUT,GET,POST,DELETE
Access-Control-Allow-Origin:*
连接:Keep-Alive
Content-Encoding:gzip
Content-Length:163
Content-Type:text / html
日期:Fri,13 Jun 2014 14:24:55 GMT
Keep-Alive:timeout = 5,max = 98
服务器:Apache / 2.2.22(Ubuntu)
Vary: Accept-Encoding
X-Powered-By:PHP / 5.4.6-1ubuntu1.8
GET请求请求头
接受:application / json,text / plain,* / *
Accept-Encoding: gzip,deflate,sdch
Accept-Language:en-US,en; q = 0.8
AlexaToolbar-ALX_NS_PH:AlexaToolbar / alxg-3.2
授权:承载VtQJqaTGd7YFb8Mee6GfiLwiRrUdt2iCp9ITuiUE
连接:keep -alive
Host:api.touchtalent.biz
原产地:http://www.example.com
Referer:http://www.example.com/artist/52894/pratim- relekar
User-Agent:Mozilla / 5.0(Macintosh; Intel Mac OS X 10_9_3)AppleWebKit / 537.36(KHTML,like Gecko)Chrome / 35.0.1916.114 Safari / 537.36
GET请求响应头
访问控制允许标头:origin,x-requested-with,content-type,授权
访问控制允许方法:PUT,GET,POST,DELETE
Access-Control-Allow-Origin:*
连接:Keep-Alive
Content- 1116
Content-Type:application / json
Date:Fri,13 Jun 2014 14:24:55 GMT
Keep-Alive:timeout = 5,max = 97
服务器: Apache / 2.2.22(Ubuntu)
状态:200
X-Powered-By:PHP / 5.4.6-1ubuntu1.8
虽然我不想提供一个URL,因为它会随着开发的进行而中断。
但如果可能有帮助: http://www.touchtalent.biz/home p>
UPDATE 1:
一旦我移除授权:Bearer VtQJqaTGd7YFb8Mee6GfiLwiRrUdt2iCp9ITuiUE 头,它停止了多个预检请求。
但删除此标头将会破坏oauth实现。我仍然必须防止多个预检请求,而不删除自定义标题。我该怎么做 ?
UPDATE 2:
添加Access-Control-Max-Age帮助,现在它不会为同一请求发送预检。
您可以尝试添加一个标题,例如 Access-Control-Max-Age 以最小化重复的OPTIONS请求。这将告诉浏览器缓存飞行前信息。请参见 http://www.w3 .org / TR / 2008 / WD-access-control-20080912 /#access-control-max-age
I have built an API (api.example.com) and want it to be accessible from www.example.com
I also want it to be accessible from other domains.
For that I have added Access-Control-Allow-Origin: *
But when I open www.example.com, a preflight request (OPTIONS request) is sent before all the api requests
How do I stop multiple preflight request ? I think there should be only one preflight request, what am I doing wrong !!! ? Or is it natural that browser has to send preflight request before each and every call ?
Note: I dont want to use JSONP as I am making it publicly accessible Access-Control-Allow-Origin: *
OPTIONS Call header
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, authorization
Access-Control-Request-Method:GET
AlexaToolbar-ALX_NS_PH:AlexaToolbar/alxg-3.2
Connection:keep-alive
Host:api.touchtalent.biz
Origin:http://www.example.com
Referer:http://www.example.com/artist/52894/pratim-relekar
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
OPTIONS Call response
Access-Control-Allow-Headers:origin, x-requested-with, content-type, Authorization
Access-Control-Allow-Methods:PUT, GET, POST, DELETE
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:163
Content-Type:text/html
Date:Fri, 13 Jun 2014 14:24:55 GMT
Keep-Alive:timeout=5, max=98
Server:Apache/2.2.22 (Ubuntu)
Vary:Accept-Encoding
X-Powered-By:PHP/5.4.6-1ubuntu1.8
GET request request header
Accept:application/json, text/plain, */*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
AlexaToolbar-ALX_NS_PH:AlexaToolbar/alxg-3.2
Authorization:Bearer VtQJqaTGd7YFb8Mee6GfiLwiRrUdt2iCp9ITuiUE
Connection:keep-alive
Host:api.touchtalent.biz
Origin:http://www.example.com
Referer:http://www.example.com/artist/52894/pratim-relekar
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
GET request response header
Access-Control-Allow-Headers:origin, x-requested-with, content-type, Authorization
Access-Control-Allow-Methods:PUT, GET, POST, DELETE
Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Length:1116
Content-Type:application/json
Date:Fri, 13 Jun 2014 14:24:55 GMT
Keep-Alive:timeout=5, max=97
Server:Apache/2.2.22 (Ubuntu)
Status:200
X-Powered-By:PHP/5.4.6-1ubuntu1.8
Although I did not want to provide a URL as it will break as development proceeds. But if it may help: http://www.touchtalent.biz/home
UPDATE 1:
Once I removed Authorization:Bearer VtQJqaTGd7YFb8Mee6GfiLwiRrUdt2iCp9ITuiUE header, it stopped making multiple preflight request.
But removing this header will break oauth implementation. I still have to prevent multiple preflight request without removing custom header. How do I do it ?
UPDATE 2:
adding Access-Control-Max-Age helped, Now its not sending preflight for same request. BUT for different requests (different urls) its sending multiple OPTIONS request.
You can try adding a header like Access-Control-Max-Age to minimize repetitive OPTIONS requests. This will tell the browser to cache pre-flight info. See http://www.w3.org/TR/2008/WD-access-control-20080912/#access-control-max-age
这篇关于为什么发送多个OPTIONS请求,即使Access-Control-Allow-Origin设置为*?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
