This is the sixth day of my participation in Gwen Challenge
A simple request
- Browser: if it discovers a cross-source request, it directly sends a CORS request and automatically adds an Origin field in the header information
GET /cors HTTP/1.1
Origin: http://api.example.com
Host: api.example.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0. Origin specifies the source of the request (protocol, domain name). Port), based on which the server decides whether to approve the requestCopy the code
- Server: Based on information in the Origin field:
- If not, return a normal HTTP response. The browser finds a particular field that does not contain CORS, throws an error and is caught.
- If within the permitted limits, the header in the return response contains: Access-control-allow-origin (required), access-Control-allow-credentials (optional), and Access-Control-expose-headers (optional)
Access-Control-Allow-Origin: http://api.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: FooBar
# getResponseHeader('FooBar'Access-control-allow-origin = access-control-allow-origin = access-control-allow-origin = access-control-allow-origin = access-control-allow-origin The value of the Origin field, or * (indicating that requests for any domain name are accepted) # access-Control-allow-credentials (optional) : A Boolean value indicating whether cookies are allowed to be sent, except when # - has this field and the value istrue: The browser can carry cookies to send requests # - Without this field: the server does not want the browser to send cookies (default) # access-Control-expose-headers (optional) : Specifies the fields available to the browser's getResponseHeader() method, which are available only by default6The basic fields returned by the server: cache-Control, Content-language, Content-Type, Expires, Last-Modified, Pragma. The rest of the fields need to be specified hereCopy the code
Non-simple request
- Browser: if CORS is not a simple request, send a “precheck” request, asking if it is in the server license list, and the available HTTP verb and header fields.
OPTIONS /cors HTTP/1.1
Origin: http://api.example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Header
Host: api.alice.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0. The key field in the header is Origin, indicating which source the request came from. In addition to the Origin field, there are two special fields: #1.Access-control-request-method (required) : Lists the HTTP methods used by the browser for CORS requests. In this example, PUT. #2.Access-control-request-headers (Optional) : This field is a comma-separated string that specifies the additional Header field to be sent by a browser CORS Request. X-custom-header is used in this example.Copy the code
- Server: Verifies that cross-source requests are running
- Negative: Returns a normal HTTP response that does not contain any CORS related header fields or explicitly states that the request does not meet the criteria.
- Agree: Returns information containing fields such as access-Control-Allow-Origin
OPTIONS HTTP:/ / api.example.com HTTP / 1.1
Status: 200
Access-Control-Allow-Origin: http://api.no.com
Access-Control-Allow-Method: POST
Copy the code
Agree to return HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.061. (Unix)
Access-Control-Allow-Origin: http://api.example.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: keep-alive content-type: text/plain # access-Control-allow-methods (mandatory) : A comma-separated string indicating all Methods supported by the server for cross-domain requests. Notice that all supported methods are returned, not just the one requested by the browser. This is to avoid multiple "pre-check" requests. # access-Control-allow-headers: This field is required if the browser Request includes the access-Control-request-headers field. It is also a comma-separated string indicating all header information fields supported by the server, not limited to those requested by the browser in precheck. # access-Control-allow-credentials (Optional) : This field has the same meaning as in simple requests. # access-Control-max-age (optional) : Specifies the validity period of this precheck request, in seconds. There is no need to issue another precheck request during the validity period.Copy the code
- Formal communication: Send CORS request within validity period according to simple request process