CORS (cross-origin) request summary and testing
1. Simple requests and non-simple requests
Cross-domain requests are divided into simple and non-simple requests. Those that meet the following two conditions can be determined as simple requests. Simple request request method
| Request method | Description |
| head | Sending header Department information |
| get | |
| post |
Simple request HTTP header information
| http header information | Description |
| accept | Specify what type of information the client can accept, eg: image/git |
| accept-language | Specify the natural language that the client can accept, if It is not specified, but any language is considered acceptable. eg: accept-language: zh-cn |
| content-language | The natural language used to describe entity headers and resources. If this rule is not set, the entity content will be made available to all language readers |
| Last-Event-ID | The identifier of the last event received |
| content-type | The type of entity messages and resources is limited to three values: application/x-www-form-unlencoded, multipart/form-data, text/plain |
2. Simple request processing principle
| Request header | Description |
| Access-Control-Allow-origin | Specify websites that can be accessed across domains, which can be set to * to indicate all res.setHeader("Access-Control-Allow-origin" ,"http://localhost")
|
| Access-Control-Allow-Credentials | Have this header or the value is true, indicating that cross-domain is acceptable cookies. And withCredentials is the client setting whether to pass cookies to the server. |
| Access-Control-Expose-Headers | Default cors request. The client's xmlHttpRequrest can only get 6 fields such as Cache-Control, Content-Language, Content-Type, Exprise, Last-Modified, and Pragma. Other headers need to be specified through Access-Control-Expose-Headers |
Note
If Access-Control-Allow-Credentials is set to true, or this header is present, then Access-Control-Allow-Origin will The ____ does not work*.
When sending a cookie, Access-Control-Allow-Origin cannot be *, the cookie is still from the same source, and only the cookie set by the server domain name will be uploaded.
The document.cookie in the original web page code cannot read the cookie under the server domain name (client), nor can it be read through xmlHttp.getResponseHeader("set-cookies").
xmlHttp can obtain foo and boo objects
res.setHeader("Access-Control-Allow-origin","*");
res.setHeader("Access-Control-Expose-Headers", "foo,boo"),
res.setHeader("foo", "foo");
res.setHeader("boo", "boo");
3. Non-simple request processing principle
If the request method is PUT, DELETE, or the Content-type is appliction/json. There are two major steps for non-simple requests:
Pre-verification "request", the browser will send a request with the request method options, and then it will bring the following three headers
| Header name | Description |
| Origin | Indicates the source domain name to send the request |
| Access-Control-Request-Method | Request method that needs to be executed across domains (can also be called action) |
| Access-Control-Request-Headers | Specify the additional header information that will be sent by the cors request, giving the client the opportunity to customize the header |
The service determines whether the Access-Control-Allow-Origin header is specified and the value is matchable. If the verification is passed, the following header content will be output:
| Header name | Description |
| Access-Control-Allow-Methods | Indicates that the server supports cors request method, multiple separated by commas |
| Access-Control-Allow-Headers | If the request has Access-Control-Request-Headers header, it must be returned This header indicates all header information supported by the server. Multiple headers are separated by commas |
| Access-Control-Allow-Credentials | Consistent with simple requests |
| Access-Control-Max-Age | Specify the validity period of this pre-verification, unit: seconds |
Note:
Access-Control-Request-Headers and Access-Control-Request-Method do not need to be set by developers. This is automatically recognized by the browser. Access-Control-Request-Headers is based on The request's custom header is generated, and Access-Control-Request-Method is generated based on the requested method.
Indications of incorrect header settings:
3. Correct settings:
4. Handling of cross-domain cookies (not possible)
Cookies cannot be set across domains. The cookie output by the server is invalid
ajax gets the set-Cookies header (client), and an error will be prompted
The above is the detailed content of CORS (cross-origin) request summary and testing. For more information, please follow other related articles on the PHP Chinese website!
From Websites to Apps: The Diverse Applications of JavaScriptApr 22, 2025 am 12:02 AMJavaScript is widely used in websites, mobile applications, desktop applications and server-side programming. 1) In website development, JavaScript operates DOM together with HTML and CSS to achieve dynamic effects and supports frameworks such as jQuery and React. 2) Through ReactNative and Ionic, JavaScript is used to develop cross-platform mobile applications. 3) The Electron framework enables JavaScript to build desktop applications. 4) Node.js allows JavaScript to run on the server side and supports high concurrent requests.
Python vs. JavaScript: Use Cases and Applications ComparedApr 21, 2025 am 12:01 AMPython is more suitable for data science and automation, while JavaScript is more suitable for front-end and full-stack development. 1. Python performs well in data science and machine learning, using libraries such as NumPy and Pandas for data processing and modeling. 2. Python is concise and efficient in automation and scripting. 3. JavaScript is indispensable in front-end development and is used to build dynamic web pages and single-page applications. 4. JavaScript plays a role in back-end development through Node.js and supports full-stack development.
The Role of C/C in JavaScript Interpreters and CompilersApr 20, 2025 am 12:01 AMC and C play a vital role in the JavaScript engine, mainly used to implement interpreters and JIT compilers. 1) C is used to parse JavaScript source code and generate an abstract syntax tree. 2) C is responsible for generating and executing bytecode. 3) C implements the JIT compiler, optimizes and compiles hot-spot code at runtime, and significantly improves the execution efficiency of JavaScript.
JavaScript in Action: Real-World Examples and ProjectsApr 19, 2025 am 12:13 AMJavaScript's application in the real world includes front-end and back-end development. 1) Display front-end applications by building a TODO list application, involving DOM operations and event processing. 2) Build RESTfulAPI through Node.js and Express to demonstrate back-end applications.
JavaScript and the Web: Core Functionality and Use CasesApr 18, 2025 am 12:19 AMThe main uses of JavaScript in web development include client interaction, form verification and asynchronous communication. 1) Dynamic content update and user interaction through DOM operations; 2) Client verification is carried out before the user submits data to improve the user experience; 3) Refreshless communication with the server is achieved through AJAX technology.
Understanding the JavaScript Engine: Implementation DetailsApr 17, 2025 am 12:05 AMUnderstanding how JavaScript engine works internally is important to developers because it helps write more efficient code and understand performance bottlenecks and optimization strategies. 1) The engine's workflow includes three stages: parsing, compiling and execution; 2) During the execution process, the engine will perform dynamic optimization, such as inline cache and hidden classes; 3) Best practices include avoiding global variables, optimizing loops, using const and lets, and avoiding excessive use of closures.
Python vs. JavaScript: The Learning Curve and Ease of UseApr 16, 2025 am 12:12 AMPython is more suitable for beginners, with a smooth learning curve and concise syntax; JavaScript is suitable for front-end development, with a steep learning curve and flexible syntax. 1. Python syntax is intuitive and suitable for data science and back-end development. 2. JavaScript is flexible and widely used in front-end and server-side programming.
Python vs. JavaScript: Community, Libraries, and ResourcesApr 15, 2025 am 12:16 AMPython and JavaScript have their own advantages and disadvantages in terms of community, libraries and resources. 1) The Python community is friendly and suitable for beginners, but the front-end development resources are not as rich as JavaScript. 2) Python is powerful in data science and machine learning libraries, while JavaScript is better in front-end development libraries and frameworks. 3) Both have rich learning resources, but Python is suitable for starting with official documents, while JavaScript is better with MDNWebDocs. The choice should be based on project needs and personal interests.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
