Home > Web Front-end > JS Tutorial > CORS (cross-origin) request summary and testing

CORS (cross-origin) request summary and testing

巴扎黑
Release: 2017-06-23 10:50:57
Original
3144 people have browsed it

1. Simple requests and non-simple requests

Cross-domain requests are divided into simple and non-simple requests. Those that meet the following two conditions can be determined as simple requests. Simple request request method

Request method Description
head Sending header Department information
get
post

Simple request HTTP header information

http header information Description
accept Specify what type of information the client can accept, eg: image/git
accept-language Specify the natural language that the client can accept, if It is not specified, but any language is considered acceptable. eg: accept-language: zh-cn
content-language The natural language used to describe entity headers and resources. If this rule is not set, the entity content will be made available to all language readers
Last-Event-ID The identifier of the last event received
content-type The type of entity messages and resources is limited to three values: application/x-www-form-unlencoded, multipart/form-data, text/plain

2. Simple request processing principle

Request header Description
Access-Control-Allow-origin Specify websites that can be accessed across domains, which can be set to * to indicate all res.setHeader("Access-Control-Allow-origin" ,"http://localhost")
Access-Control-Allow-Credentials Have this header or the value is true, indicating that cross-domain is acceptable cookies. And withCredentials is the client setting whether to pass cookies to the server.
Access-Control-Expose-Headers Default cors request. The client's xmlHttpRequrest can only get 6 fields such as Cache-Control, Content-Language, Content-Type, Exprise, Last-Modified, and Pragma. Other headers need to be specified through Access-Control-Expose-Headers

Note

  1. If Access-Control-Allow-Credentials is set to true, or this header is present, then Access-Control-Allow-Origin will The ____ does not work*.

  2. When sending a cookie, Access-Control-Allow-Origin cannot be *, the cookie is still from the same source, and only the cookie set by the server domain name will be uploaded.

  3. The document.cookie in the original web page code cannot read the cookie under the server domain name (client), nor can it be read through xmlHttp.getResponseHeader("set-cookies").

  4. xmlHttp can obtain foo and boo objects

res.setHeader("Access-Control-Allow-origin","*"); 
res.setHeader("Access-Control-Expose-Headers", "foo,boo"),
res.setHeader("foo", "foo");
res.setHeader("boo", "boo");
Copy after login

3. Non-simple request processing principle

If the request method is PUT, DELETE, or the Content-type is appliction/json. There are two major steps for non-simple requests:

  1. Pre-verification "request", the browser will send a request with the request method options, and then it will bring the following three headers

Header name Description
Origin Indicates the source domain name to send the request
Access-Control-Request-Method Request method that needs to be executed across domains (can also be called action)
Access-Control-Request-Headers Specify the additional header information that will be sent by the cors request, giving the client the opportunity to customize the header
  1. The service determines whether the Access-Control-Allow-Origin header is specified and the value is matchable. If the verification is passed, the following header content will be output:

Header name Description
Access-Control-Allow-Methods Indicates that the server supports cors request method, multiple separated by commas
Access-Control-Allow-Headers If the request has Access-Control-Request-Headers header, it must be returned This header indicates all header information supported by the server. Multiple headers are separated by commas
Access-Control-Allow-Credentials Consistent with simple requests
Access-Control-Max-Age Specify the validity period of this pre-verification, unit: seconds

Note:

  1. Access-Control-Request-Headers and Access-Control-Request-Method do not need to be set by developers. This is automatically recognized by the browser. Access-Control-Request-Headers is based on The request's custom header is generated, and Access-Control-Request-Method is generated based on the requested method.

  2. Indications of incorrect header settings:

3. Correct settings:

4. Handling of cross-domain cookies (not possible)

  1. Cookies cannot be set across domains. The cookie output by the server is invalid

  2. ajax gets the set-Cookies header (client), and an error will be prompted

The above is the detailed content of CORS (cross-origin) request summary and testing. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template