Instance analysis laravel cross-domain function activation method

For security reasons, browsers will limit cross-domain requests in Script. Since XMLHttpRequest follows the same-origin policy, all applications that use XMLHttpRequest to construct HTTP requests can only access their own domain names. If they need to construct cross-domain requests, developers need to cooperate with the browser to make some configurations that allow cross-domain requests.

This article mainly introduces to you the relevant information on how to enable cross-domain functions in Laravel. The article introduces it in great detail through sample code. It has certain reference and learning value for everyone's study or work. I hope it can help everyone. .

The W3C Application Working Group recommends a cross-resource sharing mechanism that allows Web application servers to support cross-site access control, thereby making it possible to secure cross-site data transmission. This mechanism uses several This method extends the original mode:

• The response header should be appended with Access-Control-Allow-Orign to indicate which request sources are allowed to access resource content

• The browser will verify the match between the request source and the value in the response

• For cross-domain requests, the browser will pre-send a non-simple method to determine whether a given resource is ready to accept cross-domain resource access

• The server application determines whether the request is cross-domain by checking the Orign in the request header.

Cross-origin resource sharing standard

The cross-origin resource sharing standard adds a series of HTTP headers to allow the server to declare which sources can be accessed through the browser on the server H. In addition, for HTTP request methods that will cause destructive responses to server data (especially HTTP methods other than GET, or POST requests with certain MIME types), the standard strongly requires that the browser must first send a preset request in the OPTIONS request method. request (preflight request) to obtain the HTTP methods supported by the server for cross-origin requests. After confirming that the server allows cross-origin requests, send the real request with the actual HTTP request method. The server can also notify the client whether credit information (including Cookies and HTTP authentication related data) needs to be sent along with the request.

The cross-origin sharing standard requires the cooperation of the browser and the server to complete. Currently, browser manufacturers can automatically complete the request part, so the focus of cross-origin resource access is still on the server side.

The following lists some response headers and request headers available in the standard.

Response Header

• Access-Control-Allow-Origin: Indicates which request sources are allowed to access resources. The value can be "*", "null", or a single source address.

• Access-Control-Allow-Credentials : Indicates whether the response is exposed when the creadentials identifier is omitted from the request. For pre-requests, it indicates that the user credentials can be included in the actual request.

• Access-Control-Expose-Headers : Specifies which header information can be safely exposed to the CORS API specification API.

• Access-Control-Max-Age : Specifies how long pre-requests can be stored in the pre-request cache.

• Access-Control-Allow-Methods: For pre-requests, which request methods can be used for actual requests.

• Access-Control-Allow-Headers: For pre-requests, indicates which header information can be used in the actual request.

• Origin: Indicates the origin of pre-request or cross-domain request.

• Access-Control-Request-Method: For pre-requests, indicate which request methods in pre-requests can be used in actual requests.

• Access-Control-Request-Headers: Indicates which header information in the pre-request can be used in the actual request.

Request Header

• Origin: Indicates the origin of the request or pre-request.

• Access-Control-Request-Method: Bring this request header when sending a pre-request to indicate the request method that will be used in the actual request.

• Access-Control-Request-Headers: This request header is included when sending the pre-request, indicating the request headers that the actual request will carry.

Middleware

To allow cross-domain requests in Laravel, we can build a middleware that appends responses to add response headers that specifically handle cross-domain requests. :

<?php namespace App\Http\Middleware;

use Closure;
use Response;
class EnableCrossRequestMiddleware {

 /**
 * Handle an incoming request.
 *
 * @param \Illuminate\Http\Request $request
 * @param \Closure $next
 * @return mixed
 */
 public function handle($request, Closure $next)
 {

 $response = $next($request);
  $response->header('Access-Control-Allow-Origin', config('app.allow'));
  $response->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Cookie, Accept');
  $response->header('Access-Control-Allow-Methods', 'GET, POST, PATCH, PUT, OPTIONS');
  $response->header('Access-Control-Allow-Credentials', 'true');
  return $response;
 }

}

There are the following things to note:

• For cross-domain access And requests that need to be accompanied by authentication information need to specify withCredentials as true in the XMLHttpRequest instance.

• You can build this middleware according to your own needs. If you need to include authentication information (including cookie, session) in the request, then you need to specify Access-Control-Allow-Credentials Is true, because for pre-requests, if you do not specify this response header, the browser will directly ignore the response.

• When Access-Control-Allow-Credentials is specified as true in the response, Access-Control-Allow-Origin cannot be specified as *

• Post-middleware will only add response headers when responding normally. If an exception occurs, the response will not go through the middleware.

related suggestion:

Three ways jQuery uses JSONP to obtain cross-domain data

The above is the detailed content of Instance analysis laravel cross-domain function activation method. For more information, please follow other related articles on the PHP Chinese website!