Html Chrome 将 Origin 标头添加到同源请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15512331/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Chrome adding Origin header to same-origin request
提问by jan groth
We're POSTing an AJAX request to a server running locally, i.e.
我们正在向本地运行的服务器发布 AJAX 请求,即
xhr.open("POST", "http://localhost:9000/context/request");
xhr.addHeader(someCustomHeaders);
xhr.send(someData);
The page that this javascript is being executed is also being served from localhost:9000, i.e. this totally looks like a same-origin request.
正在执行此 javascript 的页面也是从 localhost:9000 提供的,即这完全看起来像一个同源请求。
However, for some reason, Google Chrome always sets an Origin header in the resulting request, causing our server to block the request based on the false assumption that it's CORS request.
然而,出于某种原因,谷歌浏览器总是在结果请求中设置一个 Origin 标头,导致我们的服务器基于它是 CORS 请求的错误假设来阻止该请求。
This does not happen in Firefox.
这在 Firefox 中不会发生。
Also, neither Firefox nor Chrome are sending an OPTIONS preflight request, which is confusing; why set an Origin header without first preflighting to make sure the the Origin and the Custom headers are allowed by the server?
此外,Firefox 和 Chrome 都没有发送 OPTIONS 预检请求,这令人困惑;为什么要在没有预检的情况下设置 Origin 标头以确保服务器允许 Origin 和 Custom 标头?
Does anyone know what is going on in this case? Are we misunderstanding the CORS spec?
有谁知道在这种情况下发生了什么?我们是否误解了 CORS 规范?
回答by monsur
Chrome and Safari include an Originheader on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include an Originheader on same-origin requests. Browsers don't expect CORS response headers on same-origin requests, so the response to a same-origin request is sent to the user, regardless of whether it has CORS headers or not.
Chrome 和 Safari 包含Origin同源 POST/PUT/DELETE 请求的标头(同源 GET 请求将没有源标头)。Firefox 不包含Origin同源请求的标头。浏览器不希望在同源请求上有 CORS 响应头,因此对同源请求的响应被发送给用户,无论它是否有 CORS 头。
I would recommend checking the Hostheader, and if it matches the domain in the Originheader, don't treat the request as CORS. The headers look something like this:
我建议检查Host标头,如果它与标头中的域匹配Origin,则不要将请求视为 CORS。标题看起来像这样:
Host: example.com
Origin: http://example.com
Note that Originwill have the scheme (http/https), domain and port, while Hostwill only have the domain and port.
请注意,Origin将有方案(http/https)、域和端口,而Host只有域和端口。
回答by Vladimir Dzhuvinov
According to RFC 6454- The Web Origin Concept- the presence of Origin is actually legal for any HTTP request, including same-origin requests:
根据RFC 6454- The Web Origin Concept- Origin的存在对于任何 HTTP 请求实际上都是合法的,包括同源请求:
http://tools.ietf.org/html/rfc6454#section-7.3
http://tools.ietf.org/html/rfc6454#section-7.3
"The user agent MAY include an Origin header field in any HTTP request."
“用户代理可以在任何 HTTP 请求中包含一个 Origin 标头字段。”
