本文參考了:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
概述
Access-Control-Allow-Credentials
唯一的合法值是小寫的true(大小寫敏感)。如果不需要credentials,直接不設置該header,不要設置false。
當XMLHttpRequest.withCredentials=true或Request.credential=include時,只有當CORS-actual request的response 中的Access-Control-Allow-Credentials爲true時,browser才允許前端JavaScript代碼讀取response。
我們分各種情況看下跨域時Access-Control-Allow-Credentials對 CORS-actual request的response 的影響
跨域且不存在CORS-preflight request時
1. CORS-actual request 設置了credentials,則
a. CORS-actual request的response 設置了Access-Control-Allow-Credentials,則,browser正常讀取該response
b. CORS-actual request的response 未設置Access-Control-Allow-Credentials,則,browser忽略掉該response
2. CORS-actual request 未設置credentials,則
a. CORS-actual request的response 是否設置Access-Control-Allow-Credentials並沒有任何影響
跨域且存在CORS-preflight request時
一. CORS-preflight request的response 設置了Access-Control-Allow-Credentials,則
1. CORS-actual request 設置了credentials,則
a. CORS-actual request的response 設置了Access-Control-Allow-Credentials,則,browser正常讀取該response
b. CORS-actual request的response 未設置Access-Control-Allow-Credentials,則,browser忽略掉該response
2. CORS-actual request 未設置credentials,則
a. CORS-actual request的response 是否設置Access-Control-Allow-Credentials並沒有任何影響
二. CORS-preflight request的response 未設置Access-Control-Allow-Credentials,則
1. CORS-actual request 設置了credentials,則
a. CORS-actual request 直接無法請求,此時,根本就不存在CORS-actual request的response
2. CORS-actual request 未設置credentials,則
a. CORS-actual request的response 是否設置Access-Control-Allow-Credentials並沒有任何影響
完