1

I'm trying to implement proper CORS logic in my service. From looking at all the available documentation, it's not clear to me whether, in the case of a cross-origin OPTIONS request, the client would send (1) a pre-flight OPTIONS request, and if allowed by the pre-flight response, (2) a "regular" (non-pre-flight) OPTIONS request.

In other words, in my server, when I get a pre-flight OPTIONS request, should I execute both the CORS logic and the normal OPTIONS request processing logic at the same time, populating the normal OPTIONS response headers as well as the the Access-Control-* response headers?

Or should I just do the CORS logic for the pre-flight request, and expect a follow-up OPTIONS request if the OPTIONS method is allowed from the origin?

[extra credit for pointing to an authoritative reference]

4

1 回答 1

3

在 OPTIONS 请求的情况下,您将收到一个预检 OPTIONS 请求,然后是实际的 OPTIONS 请求。可以识别预检 OPTIONS 请求,因为它将具有:1) 一个 OPTIONS HTTP 方法,2) 一个 Origin 标头,以及 3) 一个 Access-Control-Request-Method 标头。实际的 OPTIONS 请求将只有:1) 一个 OPTIONS HTTP 方法,以及 2) 一个 Origin 标头。实际的 OPTIONS 请求将没有 Access-Control-Request-Method 标头。

下面是一个例子来证明这一点:http ://client.cors-api.appspot.com/client#?client_method=OPTIONS&client_credentials=false&server_enable=true&server_status=200&server_credentials=false&server_methods=OPTIONS&server_tabs=local

于 2014-10-31T14:12:48.343 回答