访问对照 - 膨胀头如何工作?
我知道它决定了客户端可以从服务器响应中访问的标题,但是,我确切地对此进行了混淆。它是否确定 Access-Control-wall-allow-Origin标头允许的每个 cross-Origin请求的标题?
为了测试此问题,我在Express中设置了一个测试站点,并将以下代码放入:
app.get('/',(req,res)=>{
res.set('Access-Control-Allow-Origin','https://www.google.com') // to be able to make a cross-origin request
res.set('foo', 'bar') //custom header that should get filtered because i havent set the access-control-expose-headers header
res.send('Hello world')
})
基于我对此的理解,因为我没有设置任何特殊的access-control-expose-Headers header header响应,客户端只能访问cors-safelisted响应标头,因此无法看到我的foo标头。
但是当我在https://www.google.com(我允许使用access> access-control-allow-origin header)并发送<<代码>获取到我的测试站点的请求我在响应中看到foo标题很好。为什么这是?有人可以解释这是如何工作的还是至少将我指向正确的方向?提前致谢。
I understand it determines the headers the client can access from the server response, however, I am confused on exactly when this is applied. Does it determine the headers for every cross-origin request that is allowed by the Access-Control-Allow-Origin header?
To test this I setup a test site in express and put the following code in it:
app.get('/',(req,res)=>{
res.set('Access-Control-Allow-Origin','https://www.google.com') // to be able to make a cross-origin request
res.set('foo', 'bar') //custom header that should get filtered because i havent set the access-control-expose-headers header
res.send('Hello world')
})
Based on my understanding of this, because I haven't set any special Access-Control-Expose-Headers header in the response, the client should only be able to access CORS-safelisted response headers and therefore should not be able to see my foo header.
But when I'm at https://www.google.com (Which I allowed for CORS with the Access-Control-Allow-Origin header) and send a GET request to my test site I see the foo header in the response just fine. Why is this? Could someone explain how this works or at least point me in the right direction? Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我发现了。我收到自定义标题的原因是,我正在阅读Chrome Dev工具网络选项卡中的响应标题。当我运行此脚本时:
它打印
null。因此,实际上仅适用于Dev工具,实际上无法访问标题。I figured it out. The reason I was receiving my custom header was that I was reading the response headers in the Network tab of Chrome Dev Tools. When I run this script:
It prints
null. So the header is not actually accessible to the fetch request, only to the Dev Tools.