我想更好地理解这一点。我目前使用的心智模型是这样的:
如果这个模型是正确的,我很困惑为什么浏览器会发送一个带有这个初步请求的 Origin header 。检查匹配不是发生在客户端吗?发送此 header 有什么作用?
最佳答案
是这样的CORS works .这基本上是一个握手,表示欢迎您与我交谈。除非联系第 3 方,否则您无法知道是否有可能。
以下是 MDN article 的 Preflighted_requests 部分的部分内容:
Unlike simple requests (discussed above), "preflighted" requests first send an HTTP OPTIONS request header to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a request is preflighted if:
It uses methods other than GET or POST. Also, if POST is used to send request data with a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, e.g. if the POST request sends an XML payload to the server using application/xml or text/xml, then the request is preflighted. It sets custom headers in the request (e.g. the request uses a header such as X-PINGOTHER)
关于javascript - 为什么 XMLHttpRequest 包含 Origin header ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13459942/