本文翻譯自:Why is an OPTIONS request sent and can I disable it?
I am building a web API. 我正在構建一個Web API。 I found whenever I use Chrome to POST, GET to my API, there is always an OPTIONS request sent before the real request, which is quite annoying. 我發現每當我使用Chrome進行POST,GET到我的API時,總是在真實請求之前發送一個OPTIONS請求,這很煩人。 Currently I get the server to ignore any OPTIONS requests. 目前,我讓服務器忽略任何OPTIONS請求。 Now my questions is what's good to send an OPTIONS request to double the server's load? 現在,我的問題是,發送一個OPTIONS請求以使服務器的負載增加一倍有什麼好處? Is there any way to completely stop the browser from sending OPTIONS requests? 有什麼方法可以完全阻止瀏覽器發送OPTIONS請求?
#1樓
參考:https://stackoom.com/question/21gPd/爲什麼要發送OPTIONS請求-我可以禁用它嗎
#2樓
edit 2018-09-13 : added some precisions about this pre-flight request and how to avoid it at the end of this reponse. 編輯2018-09-13 :在此預檢請求以及在此響應結束時如何避免它方面增加了一些精度。
OPTIONS requests are what we call pre-flight requests in Cross-origin resource sharing (CORS) . OPTIONS請求是Cross-origin resource sharing (CORS) pre-flight請求。
They are necessary when you're making requests across different origins in specific situations. 當您在特定情況下跨不同來源發出請求時,它們是必需的。
This pre-flight request is made by some browsers as a safety measure to ensure that the request being done is trusted by the server. 某些瀏覽器會發出此飛行前請求,作爲一種安全措施,以確保服務器信任正在執行的請求。 Meaning the server understands that the method, origin and headers being sent on the request are safe to act upon. 意味着服務器瞭解請求上發送的方法,源和標頭是安全的。
Your server should not ignore but handle these requests whenever you're attempting to do cross origin requests. 每當您嘗試進行跨源請求時,服務器都不應忽略,而應處理這些請求。
A good resource can be found here http://enable-cors.org/ 一個很好的資源可以在這裏找到http://enable-cors.org/
A way to handle these to get comfortable is to ensure that for any path with OPTIONS method the server sends a response with this header 處理這些問題的一種方法是確保對於使用OPTIONS方法的任何路徑,服務器均使用此標頭髮送響應
Access-Control-Allow-Origin: *
This will tell the browser that the server is willing to answer requests from any origin. 這將告訴瀏覽器服務器願意回答任何來源的請求。
For more information on how to add CORS support to your server see the following flowchart 有關如何向服務器添加CORS支持的更多信息,請參見以下流程圖
http://www.html5rocks.com/static/images/cors_server_flowchart.png http://www.html5rocks.com/static/images/cors_server_flowchart.png
edit 2018-09-13 編輯2018-09-13
CORS OPTIONS request is triggered only in somes cases, as explained in MDN docs : 僅在某些情況下會觸發CORS OPTIONS請求,如MDN docs中所述 :
Some requests don't trigger a CORS preflight. 有些請求不會觸發CORS預檢。 Those are called “simple requests” in this article, though the Fetch spec (which defines CORS) doesn't use that term. 儘管Fetch規範(定義了CORS)未使用該術語,但在本文中將其稱爲“簡單請求”。 A request that doesn't trigger a CORS preflight—a so-called “simple request”—is one that meets all the following conditions: 不會觸發CORS預檢的請求(所謂的“簡單請求”)是滿足以下所有條件的請求:
The only allowed methods are: 唯一允許的方法是:
- GET 得到
- HEAD 頭
- POST 開機自檢
Apart from the headers set automatically by the user agent (for example, Connection, User-Agent, or any of the other headers with names defined in the Fetch spec as a “forbidden header name”), the only headers which are allowed to be manually set are those which the Fetch spec defines as being a “CORS-safelisted request-header”, which are: 除了由用戶代理自動設置的標頭(例如,Connection,User-Agent或在Fetch規範中定義爲“禁止標頭名”的任何其他標頭)外,僅允許將標頭手動設置的是Fetch規範定義爲“ CORS安全列出的請求標頭”的設置,它們是:
- Accept 接受
- Accept-Language 接受語言
- Content-Language 內容語言
- Content-Type (but note the additional requirements below) 內容類型(但請注意以下其他要求)
- DPR DPR
- Downlink 下行鏈接
- Save-Data 保存數據
- Viewport-Width 視口寬度
- Width 寬度
The only allowed values for the Content-Type header are: Content-Type標頭的唯一允許值爲:
- application/x-www-form-urlencoded 應用程序/ x-www-form-urlencoded
- multipart/form-data 多部分/表單數據
- text/plain 文字/純文字
No event listeners are registered on any XMLHttpRequestUpload object used in the request; 沒有在請求中使用的任何XMLHttpRequestUpload對象上註冊事件偵聽器; these are accessed using the XMLHttpRequest.upload property. 這些可以使用XMLHttpRequest.upload屬性進行訪問。
No ReadableStream object is used in the request. 請求中未使用ReadableStream對象。
#3樓
您不能,但是可以避免使用JSONP的CORS。
#4樓
Yes it's possible to avoid options request. 是的,可以避免選擇要求。 Options request is a preflight request when you send (post) any data to another domain. 當您將任何數據發送(發佈)到另一個域時,選項請求是預檢請求。 It's a browser security issue. 這是瀏覽器的安全問題。 But we can use another technology: iframe transport layer. 但是我們可以使用另一種技術:iframe傳輸層。 I strongly recommend you forget about any CORS configuration and use readymade solution and it will work anywhere. 我強烈建議您忘記任何CORS配置並使用現成的解決方案,它可以在任何地方使用。
Take a look here: https://github.com/jpillora/xdomain 在這裏看看: https : //github.com/jpillora/xdomain
And working example: http://jpillora.com/xdomain/ 工作示例: http : //jpillora.com/xdomain/
#5樓
Please refer this answer on the actual need for pre-flighted OPTIONS request: CORS - What is the motivation behind introducing preflight requests? 請根據實際的預檢選項請求參閱此答案: CORS-引入預檢請求的動機是什麼?
To disable the OPTIONS request, below conditions must be satisfied for ajax request: 要禁用OPTIONS請求,必須滿足ajax請求的以下條件:
- Request does not set custom HTTP headers like 'application/xml' or 'application/json' etc 請求未設置自定義HTTP標頭,例如“ application / xml”或“ application / json”等
- The request method has to be one of GET, HEAD or POST. request方法必須是GET,HEAD或POST之一。 If POST, content type should be one of
application/x-www-form-urlencoded,multipart/form-data, ortext/plain如果是POST,則內容類型應爲application/x-www-form-urlencoded,multipart/form-data或text/plain
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS 參考: https : //developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
#6樓
As mentioned in previous posts already, OPTIONS requests are there for a reason. 如前幾篇文章所述, OPTIONS請求在那裏是有原因的。 If you have an issue with large response times from your server (eg overseas connection) you can also have your browser cache the preflight requests. 如果您對服務器的響應時間過長(例如,海外連接)有疑問,還可以讓瀏覽器緩存預檢請求。
Have your server reply with the Access-Control-Max-Age header and for requests that go to the same endpoint the preflight request will have been cached and not occur anymore. 讓您的服務器用Access-Control-Max-Age標頭答覆,對於轉到相同端點的請求,預檢請求將被緩存並且不再發生。