Http协议相关

Http协议相关

• 如何看待 HTTP/3 ？

• HTTP首部(二)/)

• HTTP首部(一)/)

• HTTP 协议详解_知识库_博客园

• https连接的前几毫秒发生了什么

• 跨域请求

• 跨域资源共享 CORS 详解

以下示例环境

• 主站 https://admin.t.zshui.org

• 跨域站 https://api.t.zshui.org

1. 在跨域调用 https://api.t.zshui.org 站点资源的时候 站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin https://admin.t.zshui.org] 或者 [Access-Control-Allow-Origin *]

否则浏览器会抛出如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/api/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

如果站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin https://api.t.zshui.org]

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘https://api.t.zshui.org’).

需要特别注意的是,如果站点 OPTIONS 返回相应头 [Access-Control-Allow-Origin *] 而不是特指 [Access-Control-Allow-Origin https://admin.t.zshui.org] 的话,ajax 应该按如下设置 [withCredentials: false]:

$.ajax({
        ...
        xhrFields: {
            //withCredentials: true
            withCredentials: false
        },
        ...
});

否则如果设置为 [withCredentials: true] 仍会返回如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/service/requestToken. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘*’).

以下类似:

• [Access-Control-Allow-Headers: *]

• [Access-Control-Allow-Methods: *]

• [withCredentials: true] 将不会跨域共享[Cookie]信息,只有浏览器和服务器均设置为 [withCredentials: true] 浏览器才会与服务器在后续协商是否发送及读取 Cookie 信息, 同时,Cookie依然遵循同源政策,只有用服务器域名设置的Cookie才会上传,其他域名的Cookie并不会上传,且(跨源)原网页代码中的document.cookie也无法读取服务器域名下的Cookie.

• 跨域资源共享 CORS 详解

• Allow * for Access-Control-Allow-Headers and Access-Control-Allow-Methods

1. 如果要跨域发送自定义请求头 [Request-Client-Platform|Request-Access-Token],则需在 [OPTIONS|POST] 返回如下内容 [Access-Control-Allow-Headers: …,Request-Access-Token,Request-Client-Platform]

否则浏览器会抛出如下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.t.zshui.org/api/service/requestToken. (Reason: missing token ‘request-access-token’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).