blob: 7085ccb0f01e52cb0ca80076a734a36f3a574f4d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
---
title: Access-Control-Allow-Credentials
slug: Web/HTTP/Headers/Access-Control-Allow-Credentials
tags:
- CORS
- Reference
- header
- 响应头
- 跨域
translation_of: Web/HTTP/Headers/Access-Control-Allow-Credentials
---
<div>{{HTTPSidebar}}</div>
<p><strong><code>Access-Control-Allow-Credentials</code></strong> 响应头表示是否可以将对请求的响应暴露给页面。返回true则可以,其他值均不可以。</p>
<p>Credentials可以是 cookies, authorization headers 或 TLS client certificates。</p>
<p>当作为对预检请求的响应的一部分时,这能表示是否真正的请求可以使用credentials。注意简单的{{HTTPMethod("GET")}} 请求没有预检,所以若一个对资源的请求带了credentials,如果这个响应头没有随资源返回,响应就会被浏览器忽视,不会返回到web内容。</p>
<p><code>Access-Control-Allow-Credentials</code> 头 工作中与{{domxref("XMLHttpRequest.withCredentials")}} 或Fetch API中的{{domxref("Request.Request()", "Request()")}} 构造器中的<code>credentials</code> 选项结合使用。Credentials必须在前后端都被配置(即the <code>Access-Control-Allow-Credentials</code> header 和 XHR 或Fetch request中都要配置)才能使带credentials的CORS请求成功。</p>
<table class="properties">
<tbody>
<tr>
<th scope="row">头部类型</th>
<td>{{Glossary("Response header")}}</td>
</tr>
<tr>
<th scope="row">{{Glossary("Forbidden header name")}}</th>
<td>no</td>
</tr>
</tbody>
</table>
<h2 id="语法">语法</h2>
<pre class="syntaxbox">Access-Control-Allow-Credentials: true
</pre>
<h2 id="指令">指令</h2>
<dl>
<dt>true</dt>
<dd>这个头的唯一有效值(区分大小写)。如果不需要credentials,相比将其设为false,请直接忽视这个头。</dd>
</dl>
<h2 id="例子">例子</h2>
<p>允许credentials:</p>
<pre>Access-Control-Allow-Credentials: true</pre>
<p>使用带credentials的 <a href="/en-US/docs/Web/API/XMLHttpRequest">XHR</a> :</p>
<pre class="brush: js">var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true);
xhr.withCredentials = true;
xhr.send(null);</pre>
<p>使用带credentials的 <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a> :</p>
<pre class="brush: js">fetch(url, {
credentials: 'include'
})</pre>
<h2 id="规范">规范</h2>
<table class="standard-table">
<tbody>
<tr>
<th scope="col">规范</th>
<th scope="col">状态</th>
<th scope="col">注释</th>
</tr>
<tr>
<td>{{SpecName('Fetch','#http-access-control-allow-credentials', 'Access-Control-Allow-Credentials')}}</td>
<td>{{Spec2("Fetch")}}</td>
<td>Initial definition</td>
</tr>
</tbody>
</table>
<h2 id="浏览器兼容性">浏览器兼容性</h2>
<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
<p>{{Compat("http/headers/access-control-allow-credentials")}}</p>
<h2 id="查阅更多">查阅更多</h2>
<ul>
<li>{{domxref("XMLHttpRequest.withCredentials")}}</li>
<li>{{domxref("Request.Request()", "Request()")}}</li>
</ul>
|
