某些浏览器是否需要显式允许 Origin 标头才能成功实现 CORS?
Go 流行的 CORS 中间件库是 rs/cors。在其源代码中,在无条件将 Origin
添加到允许的标头列表中的一些逻辑之上,我发现 以下评论:
始终附加来源,因为某些浏览器始终会在预检时请求此标头
Among popular CORS middleware libraries for Go is rs/cors. In its source code, above some logic that unconditionally adds Origin
to the list of allowed headers, I found the following comment:
Origin is always appended as some browsers will always request for this header at preflight
???? I find this statement surprising... The Fetch standard (the de factor standard for the CORS protocol) states that compliant user agents set the Origin
header themselves. Therefore, there should be no use for compliant user agents to require servers to explicitly list Origin
in the Access-Control-Allow-Headers
header.
Do some wacky browsers actually require the Origin
header to be explicitly allowed by the server for CORS to succeed? If so, what are those browsers and what is their rationale?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论