Cross-domain requests are divided into simple and non-simple requests. Those that meet the following two conditions can be determined as simple requests. Simple request request method
| Request method | Description |
| head | Sending header Department information |
| get | |
| post |
Simple request HTTP header information
| http header information | Description |
| accept | Specify what type of information the client can accept, eg: image/git |
| accept-language | Specify the natural language that the client can accept, if It is not specified, but any language is considered acceptable. eg: accept-language: zh-cn |
| content-language | The natural language used to describe entity headers and resources. If this rule is not set, the entity content will be made available to all language readers |
| Last-Event-ID | The identifier of the last event received |
| content-type | The type of entity messages and resources is limited to three values: application/x-www-form-unlencoded, multipart/form-data, text/plain |
| Request header | Description |
| Access-Control-Allow-origin | Specify websites that can be accessed across domains, which can be set to * to indicate all res.setHeader("Access-Control-Allow-origin" ,"http://localhost")
|
| Access-Control-Allow-Credentials | Have this header or the value is true, indicating that cross-domain is acceptable cookies. And withCredentials is the client setting whether to pass cookies to the server. |
| Access-Control-Expose-Headers | Default cors request. The client's xmlHttpRequrest can only get 6 fields such as Cache-Control, Content-Language, Content-Type, Exprise, Last-Modified, and Pragma. Other headers need to be specified through Access-Control-Expose-Headers |
If Access-Control-Allow-Credentials is set to true, or this header is present, then Access-Control-Allow-Origin will The ____ does not work*.
When sending a cookie, Access-Control-Allow-Origin cannot be *, the cookie is still from the same source, and only the cookie set by the server domain name will be uploaded.
The document.cookie in the original web page code cannot read the cookie under the server domain name (client), nor can it be read through xmlHttp.getResponseHeader("set-cookies").
xmlHttp can obtain foo and boo objects
res.setHeader("Access-Control-Allow-origin","*");
res.setHeader("Access-Control-Expose-Headers", "foo,boo"),
res.setHeader("foo", "foo");
res.setHeader("boo", "boo");
If the request method is PUT, DELETE, or the Content-type is appliction/json. There are two major steps for non-simple requests:
Pre-verification "request", the browser will send a request with the request method options, and then it will bring the following three headers
| Header name | Description |
| Origin | Indicates the source domain name to send the request |
| Access-Control-Request-Method | Request method that needs to be executed across domains (can also be called action) |
| Access-Control-Request-Headers | Specify the additional header information that will be sent by the cors request, giving the client the opportunity to customize the header |
The service determines whether the Access-Control-Allow-Origin header is specified and the value is matchable. If the verification is passed, the following header content will be output:
| Header name | Description |
| Access-Control-Allow-Methods | Indicates that the server supports cors request method, multiple separated by commas |
| Access-Control-Allow-Headers | If the request has Access-Control-Request-Headers header, it must be returned This header indicates all header information supported by the server. Multiple headers are separated by commas |
| Access-Control-Allow-Credentials | Consistent with simple requests |
| Access-Control-Max-Age | Specify the validity period of this pre-verification, unit: seconds |
Access-Control-Request-Headers and Access-Control-Request-Method do not need to be set by developers. This is automatically recognized by the browser. Access-Control-Request-Headers is based on The request's custom header is generated, and Access-Control-Request-Method is generated based on the requested method.
Indications of incorrect header settings:
3. Correct settings:
Cookies cannot be set across domains. The cookie output by the server is invalid
ajax gets the set-Cookies header (client), and an error will be prompted
The above is the detailed content of CORS (cross-origin) request summary and testing. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
