1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
---
title: Access-Control-Allow-Headers
slug: Web/HTTP/Headers/Access-Control-Allow-Headers
tags:
- CORS
- HTTP
- 超文本传输协议
- 跨域资源共享
- 首部
translation_of: Web/HTTP/Headers/Access-Control-Allow-Headers
---
<div>{{HTTPSidebar}}</div>
<p>响应首部 <strong><code>Access-Control-Allow-Headers</code></strong> 用于 {{glossary("preflight request")}} (预检请求)中,列出了将会在正式请求的 {{HTTPHeader("Access-Control-Request-Headers")}} 字段中出现的首部信息。</p>
<p>简单首部,如 {{glossary("simple header", "simple headers")}}、{{HTTPHeader("Accept")}}、{{HTTPHeader("Accept-Language")}}、{{HTTPHeader("Content-Language")}}、{{HTTPHeader("Content-Type")}} (只限于解析后的值为 <code>application/x-www-form-urlencoded、</code><code>multipart/form-data </code>或 <code>text/plain 三种MIME类型(不包括参数)),它们始终是被支持的,不需要在这个首部特意列出。</code></p>
<p>如果请求中含有 {{HTTPHeader("Access-Control-Request-Headers")}} 字段,那么这个首部是必要的。</p>
<table class="properties">
<tbody>
<tr>
<th scope="row">Header type</th>
<td>{{Glossary("Response header")}}</td>
</tr>
<tr>
<th scope="row">{{Glossary("Forbidden header name")}}</th>
<td>no</td>
</tr>
</tbody>
</table>
<h2 id="语法">语法</h2>
<pre class="notranslate">Access-Control-Allow-Headers: <em><header-name></em>[, <em><header-name></em>]*
Access-Control-Allow-Headers: *</pre>
<h2 id="指令">指令</h2>
<dl>
<dt><code><header-name></code></dt>
<dd>可支持的请求首部名字。请求头会列出所有支持的首部列表,用逗号隔开。</dd>
</dl>
<p>注意以下这些特定的首部是一直允许的:{{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Language")}}, {{HTTPHeader("Content-Language")}}, {{HTTPHeader("Content-Type")}} (但只在其值属于 MIME 类型 <code>application/x-www-form-urlencoded</code>, <code>multipart/form-data</code> 或 <code>text/plain</code>中的一种时)。这些被称作{{Glossary("simple headers")}},你无需特意声明它们。</p>
<p><strong><code>*</code> (wildcard)</strong></p>
<p>对于没有凭据的请求(没有HTTP cookie或HTTP认证信息的请求),值“ <code>*</code>”仅作为特殊的通配符值。 在具有凭据的请求中,它被视为没有特殊语义的文字标头名称“ *”。 请注意,{{HTTPHeader("Authorization")}}标头不能使用通配符,并且始终需要明确列出。</p>
<h2 id="示例">示例</h2>
<h3 id="自定义的请求头">自定义的请求头</h3>
<p>下面是 <code>Access-Control-Allow-Headers</code> 标头的一个示例。 它表明,除了CORS安全清单列出的请求标头外,对服务器的CORS请求还支持名为X-Custom-Header的自定义标头。</p>
<pre class="notranslate"><code>Access-Control-Allow-Headers: X-Custom-Header</code></pre>
<h3 id="Multiple_headers">Multiple headers</h3>
<p>此示例展示了支持多个标头时的 <code>Access-Control-Allow-Headers</code> 。</p>
<pre class="notranslate"><code>Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests</code></pre>
<h3 id="Example_preflight_request">Example preflight request</h3>
<p>让我们看一个涉及<code>Access-Control-Allow-Headers</code>的预检请求示例。 </p>
<h4 id="Request">Request</h4>
<p>First, the request. The preflight request is an {{HTTPMethod("OPTIONS")}} request which includes some combination of the three preflight request headers: {{HTTPHeader("Access-Control-Request-Method")}}, {{HTTPHeader("Access-Control-Request-Headers")}}, and {{HTTPHeader("Origin")}}, such as:</p>
<pre class="notranslate"><code>OPTIONS /resource/foo
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org</code></pre>
<h4 id="Response">Response</h4>
<p>If the server allows CORS requests to use the {{HTTPMethod("DELETE")}} method, it responds with an {{HTTPHeader("Access-Control-Allow-Methods")}} response header, which lists <code>DELETE</code> along with the other methods it supports:</p>
<pre class="notranslate"><code>HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400</code></pre>
<p>If the requested method isn't supported, the server will respond with an error.</p>
<h2 id="规范">规范</h2>
<table class="standard-table">
<tbody>
<tr>
<th scope="col">Specification</th>
<th scope="col">Status</th>
<th scope="col">Comment</th>
</tr>
<tr>
<td>{{SpecName('Fetch','#http-access-control-allow-headers', 'Access-Control-Allow-Headers')}}</td>
<td>{{Spec2("Fetch")}}</td>
<td>Initial definition.</td>
</tr>
</tbody>
</table>
<h2 id="浏览器兼容性">浏览器兼容性</h2>
<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
<p>{{Compat("http.headers.Access-Control-Allow-Headers")}}</p>
<h2 id="有关兼容性的注意事项">有关兼容性的注意事项</h2>
<ul>
<li>在最新规范中提出的通配符(*),尚未被如下浏览器实现:
<ul>
<li>Chromium: <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=615313">Issue 615313</a></li>
<li>Firefox: {{bug(1309358)}}</li>
<li>Servo: <a href="https://github.com/servo/servo/issues/13283">Issue 13283</a></li>
<li>WebKit: <a href="https://bugs.webkit.org/show_bug.cgi?id=165508">Issue 165508</a></li>
</ul>
</li>
</ul>
<h2 id="相关内容">相关内容</h2>
<ul>
<li>{{HTTPHeader("Access-Control-Allow-Origin")}}</li>
<li>{{HTTPHeader("Access-Control-Expose-Headers")}}</li>
<li>{{HTTPHeader("Access-Control-Allow-Methods")}}</li>
<li>{{HTTPHeader("Access-Control-Request-Headers")}}</li>
</ul>
|
