W3C CORS spec在第 2 步中明确指出:
If the response has an HTTP status code of 301, 302, 303, 307, or 308
Apply the cache and network error steps.
我认为添加此措施是为了降低安全风险。但是,我无法找到详细说明允许重定向的安全后果的来源。
关于如何规避这个问题的问题已经被问到before .我正在寻找为什么首先将此条款包含在规范中的解释,例如以下问题:
CORS - What is the motivation behind introducing preflight requests?
Why does a cross-origin HEAD request need a preflight check?
最佳答案
Mostly because with preflight fetches everything gets more complicated. We did leave the door open to potentially allow this at some point, provided we figure out a sane protocol, but left it out initially for simplicity.
关于http - 为什么 CORS 规范不允许重定向?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24135854/