diff options
Diffstat (limited to 'files/zh-cn/web/http/headers/access-control-allow-headers')
| -rw-r--r-- | files/zh-cn/web/http/headers/access-control-allow-headers/index.html | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/files/zh-cn/web/http/headers/access-control-allow-headers/index.html b/files/zh-cn/web/http/headers/access-control-allow-headers/index.html new file mode 100644 index 0000000000..d6a3737780 --- /dev/null +++ b/files/zh-cn/web/http/headers/access-control-allow-headers/index.html @@ -0,0 +1,134 @@ +--- +title: Access-Control-Allow-Headers +slug: Web/HTTP/Headers/Access-Control-Allow-Headers +tags: + - CORS + - HTTP + - 超文本传输协议 + - 跨域资源共享 + - 首部 +translation_of: Web/HTTP/Headers/Access-Control-Allow-Headers +--- +<div>{{HTTPSidebar}}</div> + +<p>响应首部 <strong><code>Access-Control-Allow-Headers</code></strong> 用于 {{glossary("preflight request")}} (预检请求)中,列出了将会在正式请求的 {{HTTPHeader("Access-Control-Request-Headers")}} 字段中出现的首部信息。</p> + +<p>简单首部,如 {{glossary("simple header", "simple headers")}}、{{HTTPHeader("Accept")}}、{{HTTPHeader("Accept-Language")}}、{{HTTPHeader("Content-Language")}}、{{HTTPHeader("Content-Type")}} (只限于解析后的值为 <code>application/x-www-form-urlencoded、</code><code>multipart/form-data </code>或 <code>text/plain 三种MIME类型(不包括参数)),它们始终是被支持的,不需要在这个首部特意列出。</code></p> + +<p>如果请求中含有 {{HTTPHeader("Access-Control-Request-Headers")}} 字段,那么这个首部是必要的。</p> + +<table class="properties"> + <tbody> + <tr> + <th scope="row">Header type</th> + <td>{{Glossary("Response header")}}</td> + </tr> + <tr> + <th scope="row">{{Glossary("Forbidden header name")}}</th> + <td>no</td> + </tr> + </tbody> +</table> + +<h2 id="语法">语法</h2> + +<pre class="notranslate">Access-Control-Allow-Headers: <em><header-name></em>[, <em><header-name></em>]* +Access-Control-Allow-Headers: *</pre> + +<h2 id="指令">指令</h2> + +<dl> + <dt><code><header-name></code></dt> + <dd>可支持的请求首部名字。请求头会列出所有支持的首部列表,用逗号隔开。</dd> +</dl> + +<p>注意以下这些特定的首部是一直允许的:{{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Language")}}, {{HTTPHeader("Content-Language")}}, {{HTTPHeader("Content-Type")}} (但只在其值属于 MIME 类型 <code>application/x-www-form-urlencoded</code>, <code>multipart/form-data</code> 或 <code>text/plain</code>中的一种时)。这些被称作{{Glossary("simple headers")}},你无需特意声明它们。</p> + +<p><strong><code>*</code> (wildcard)</strong></p> + +<p>对于没有凭据的请求(没有HTTP cookie或HTTP认证信息的请求),值“ <code>*</code>”仅作为特殊的通配符值。 在具有凭据的请求中,它被视为没有特殊语义的文字标头名称“ *”。 请注意,{{HTTPHeader(“ Authorization”)}}标头不能使用通配符,并且始终需要明确列出。</p> + +<h2 id="示例">示例</h2> + +<h3 id="自定义的请求头">自定义的请求头</h3> + +<p>下面是 <code>Access-Control-Allow-Headers</code> 标头的一个示例。 它表明,除了CORS安全清单列出的请求标头外,对服务器的CORS请求还支持名为X-Custom-Header的自定义标头。</p> + +<pre class="notranslate"><code>Access-Control-Allow-Headers: X-Custom-Header</code></pre> + +<h3 id="Multiple_headers">Multiple headers</h3> + +<p>此示例展示了支持多个标头时的 <code>Access-Control-Allow-Headers</code> 。</p> + +<pre class="notranslate"><code>Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests</code></pre> + +<h3 id="Example_preflight_request">Example preflight request</h3> + +<p>让我们看一个涉及<code>Access-Control-Allow-Headers</code>的预检请求示例。 </p> + +<h4 id="Request">Request</h4> + +<p>First, the request. The preflight request is an {{HTTPMethod("OPTIONS")}} request which includes some combination of the three preflight request headers: {{HTTPHeader("Access-Control-Request-Method")}}, {{HTTPHeader("Access-Control-Request-Headers")}}, and {{HTTPHeader("Origin")}}, such as:</p> + +<pre class="notranslate"><code>OPTIONS /resource/foo +Access-Control-Request-Method: DELETE +Access-Control-Request-Headers: origin, x-requested-with +Origin: https://foo.bar.org</code></pre> + +<h4 id="Response">Response</h4> + +<p>If the server allows CORS requests to use the {{HTTPMethod("DELETE")}} method, it responds with an {{HTTPHeader("Access-Control-Allow-Methods")}} response header, which lists <code>DELETE</code> along with the other methods it supports:</p> + +<pre class="notranslate"><code>HTTP/1.1 200 OK +Content-Length: 0 +Connection: keep-alive +Access-Control-Allow-Origin: https://foo.bar.org +Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE +Access-Control-Max-Age: 86400</code></pre> + +<p>If the requested method isn't supported, the server will respond with an error.</p> + +<h2 id="规范">规范</h2> + +<table class="standard-table"> + <tbody> + <tr> + <th scope="col">Specification</th> + <th scope="col">Status</th> + <th scope="col">Comment</th> + </tr> + <tr> + <td>{{SpecName('Fetch','#http-access-control-allow-headers', 'Access-Control-Allow-Headers')}}</td> + <td>{{Spec2("Fetch")}}</td> + <td>Initial definition.</td> + </tr> + </tbody> +</table> + +<h2 id="浏览器兼容性">浏览器兼容性</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.Access-Control-Allow-Headers")}}</p> + +<h2 id="有关兼容性的注意事项">有关兼容性的注意事项</h2> + +<ul> + <li>在最新规范中提出的通配符(*),尚未被如下浏览器实现: + <ul> + <li>Chromium: <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=615313">Issue 615313</a></li> + <li>Firefox: {{bug(1309358)}}</li> + <li>Servo: <a href="https://github.com/servo/servo/issues/13283">Issue 13283</a></li> + <li>WebKit: <a href="https://bugs.webkit.org/show_bug.cgi?id=165508">Issue 165508</a></li> + </ul> + </li> +</ul> + +<h2 id="相关内容">相关内容</h2> + +<ul> + <li>{{HTTPHeader("Access-Control-Allow-Origin")}}</li> + <li>{{HTTPHeader("Access-Control-Expose-Headers")}}</li> + <li>{{HTTPHeader("Access-Control-Allow-Methods")}}</li> + <li>{{HTTPHeader("Access-Control-Request-Headers")}}</li> +</ul> |