Http协议相关

Summary: Author: 张亚飞 | 阅读时间: 1 minute read | Published: 2017-03-30
Filed under Categories: LinuxTags: Note,

Http协议相关

以下示例环境

  1. 在跨域调用 https://api.t.zshui.org 站点资源的时候 站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin https://admin.t.zshui.org] 或者 [Access-Control-Allow-Origin *]

否则浏览器会抛出如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/api/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

如果站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin https://api.t.zshui.org]

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://api.t.zshui.org’).

需要特别注意的是,如果站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin *] 而不是特指 [Access-Control-Allow-Origin https://admin.t.zshui.org] 的话,ajax 应该按如下设置 [withCredentials: false]:

$.ajax({
        ...
        xhrFields: {
            //withCredentials: true
            withCredentials: false
        },
        ...
});

否则如果设置为 [withCredentials: true] 仍会返回如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘*’).

以下类似:

  • [Access-Control-Allow-Headers: *]

  • [Access-Control-Allow-Methods: *]

  • [withCredentials: true] 将不会跨域共享[Cookie]信息,只有浏览器和服务器均设置为 [withCredentials: true] 浏览器才会与服务器在后续协商是否发送及读取 Cookie 信息, 同时,Cookie依然遵循同源政策,只有用服务器域名设置的Cookie才会上传,其他域名的Cookie并不会上传,且(跨源)原网页代码中的document.cookie也无法读取服务器域名下的Cookie.

  • 跨域资源共享 CORS 详解

  • Allow * for Access-Control-Allow-Headers and Access-Control-Allow-Methods

  1. 如果要跨域发送自定义请求头 [Request-Client-Platform|Request-Access-Token],则需在 [OPTIONS|POST] 返回如下内容 [Access-Control-Allow-Headers: …,Request-Access-Token,Request-Client-Platform]

否则浏览器会抛出如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/api/service/requestToken. (Reason: missing token ‘request-access-token’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).

Comments

Cor-Ethan, the beverage → www.iirii.com