admin管理员组文章数量:1316824
We are seeing the well-known CORS error on our site:
XMLHttpRequest cannot load . No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access.
The thing is, the Access-Control-Allow-Origin is set correctly on the preflight request...
OPTIONS HTTP/1.1
Host: my-site
Access-Control-Request-Method: POST
Origin:
Access-Control-Request-Headers: my-custom-header, accept, content-type
Accept: */*
Referer: /
...other stuff...
HTTP/1.1 200 OK
Access-Control-Allow-Origin:
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: my-custom-header, accept, content-type
Access-Control-Expose-Headers: my-custom-header
...other stuff...
...however, it's not set on the subsequent request.
POST HTTP/1.1
Host: my-site
Accept: */*
My-Custom-Header: abcd123
Origin:
Referer: /
...other stuff...
HTTP/1.1 200 OK
My-Custom-Header: abcd123
...other stuff...
I don't understand the problem. According to everything I've read online, if we use a preflight request, we shouldn't need to add CORS headers for the actual request. However, that's clearly not the case.
All of the examples here and here include an Access-Control-Allow-Origin header in the actual response, but don't include any of the other "required" CORS headers. When we add that one header to our actual response, the error goes away.
So my question is, is the Access-Control-Allow-Origin header actually required in both requests? Where is that stated? And why is that true?
We are seeing the well-known CORS error on our site:
XMLHttpRequest cannot load https://my-site./api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://my-other-site.' is therefore not allowed access.
The thing is, the Access-Control-Allow-Origin is set correctly on the preflight request...
OPTIONS https://my-site./api HTTP/1.1
Host: my-site.
Access-Control-Request-Method: POST
Origin: https://my-other-site.
Access-Control-Request-Headers: my-custom-header, accept, content-type
Accept: */*
Referer: https://my-other-site./
...other stuff...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://my-other-site.
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: my-custom-header, accept, content-type
Access-Control-Expose-Headers: my-custom-header
...other stuff...
...however, it's not set on the subsequent request.
POST https://my-site./api HTTP/1.1
Host: my-site.
Accept: */*
My-Custom-Header: abcd123
Origin: https://my-other-site.
Referer: https://my-other-site./
...other stuff...
HTTP/1.1 200 OK
My-Custom-Header: abcd123
...other stuff...
I don't understand the problem. According to everything I've read online, if we use a preflight request, we shouldn't need to add CORS headers for the actual request. However, that's clearly not the case.
All of the examples here and here include an Access-Control-Allow-Origin header in the actual response, but don't include any of the other "required" CORS headers. When we add that one header to our actual response, the error goes away.
So my question is, is the Access-Control-Allow-Origin header actually required in both requests? Where is that stated? And why is that true?
1 Answer
Reset to default 9Yes, it appears both responses should include the necessary CORS headers.
In both the Simple Cross-Origin Request and the Cross-Origin Request with Preflight, the "actual request" follows the same behavior, checking for CORS headers regardless of the preflight (step 1 and step 3, respectively).
[...] Apply the make a request steps and observe the request rules below while making the request.
... (snipped: 3xx codes, aborts, and network errors)
Otherwise
Perform a resource sharing check. [...]
The resource sharing check algorithm for a given resource is as follows:
If the response includes zero or more than one
Access-Control-Allow-Originheader values, return fail and terminate this algorithm.[...]
The preflight request only prevents the "actual request" from beginning.
本文标签:
版权声明:本文标题:javascript - Is the Access-Control-Allow-Origin CORS header required when doing a preflight request? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742015367a2413665.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论