跨域资源共享 GET:'拒绝获取不安全的标头“etag"'从响应

2022-01-15 00:00:00 cors rest web-applications javascript ajax

没有自定义标头的简单 GET 请求.响应按预期返回.可以访问正文中的数据,但不能访问标题.

A simple GET request with no custom headers. The response is returned as expected. The data in the body is accessible, but not the headers.

当我尝试访问etag"标头时,浏览器会引发异常:

When I try to access the "etag" header, browsers raise an exception :

拒绝获取不安全的标头etag"

Refused to get unsafe header "etag"

Chrome、Safari 和 Firefox 的行为都相同.我没有在IE上测试过.

Chrome, Safari and Firefox all behave the same. I didn't test it on IE.

我在这里错过了什么?

推荐答案

使用 CORS 时只暴露简单的响应头.这里定义了简单的响应头.ETag 不是一个简单的响应头.如果要暴露非简单的标头,则需要设置 Access-Control-Expose-Headers 标头,如下所示:

Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers header, like so:

Access-Control-Expose-Headers: ETag

但是,请注意,我注意到 Chrome、Safari 和 Firefox 中的错误会阻止非简单标头正确公开.这可能现在已经解决了,我不确定.

However, note that I've noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I'm not sure.

您不需要进行预检请求,因为只有非 GET/POST http 方法或非简单的 request 标头才需要预检(并且您正在询问 response 标题).

You shouldn't need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).

相关文章