将重复“Access-Control-Allow-Origin：*”。标题断开CORS？ [英] Will duplicate "Access-Control-Allow-Origin: *" headers break CORS?

问题描述

因此，我们有一个http资源可以提供JSON。它添加了

So we have an http resource that serves up JSON. It adds an

Access-Control-Allow-Origin: *

标志。所以这可以加载CORS ... 除了（所以我被告知）有一些IE9 quirk意味着这仍然不会在IE9工作，但它会工作，如果这是一个https资源。

flag. So this can be loaded with CORS... except (so I'm told) there's some IE9 quirk that means this still won't work in IE9, but it would work if this were an https resource.

因此，我们设置了一个现有的https代理以包含此资源。只有那个https资源是ALSO添加Access-Control-Allow-Origin：*头，所以响应包含两个这样的头。

So we set up an existing https proxy to include this resource. Only that https resource was ALSO adding the Access-Control-Allow-Origin: * header, so the response contains TWO such headers.

这似乎根本不工作。从实验上看，如果我从内部http资源删除头，代理版本（现在只包含一个头）工作。只需在Chrome，Firefox中使用jQuery CORS进行测试。

And this seems not to work at all. Experimentally it looks like if I remove the header from the "inner" http resource, the proxied version (now containing just the one header) does work. Just testing with jQuery CORS in Chrome, Firefox.

是吗？所以我需要做的是（有人）修复https代理设置标题，而不是添加吗？

Is that right? So all I need to do is (have somebody) fix the https proxy to "set" the header and not of "add" it?

推荐答案

CORS规范明确说明：

如果响应包含零或多个
Access-Control-Allow-值，返回失败并终止
此算法。

If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.

所以你是正确的，你应该只有一个 Access-Control-Allow-Origin 头。

So you are correct, you should only have a single Access-Control-Allow-Origin header.

这篇关于将重复“Access-Control-Allow-Origin：*”。标题断开CORS？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！