[HTTP] Origins, CROS, Preflight
2016-07-04 03:43
316 查看
Origins made up of three parts the data scheme, the hostname and the prot.
It is important to know that it is user broswere enforces the same origin policy, it is the client browser not allow you send the different origin request not the server.
CROS:
![](https://images2015.cnblogs.com/blog/364241/201607/364241-20160704031949921-1101521132.png)
Client side send the request, server side will check wheterh "Access-Control-Allow-Origin" is the same as "Referer".
One problem for this is request is already send to server, include all the data. What we want is from client side, we just sent the min-info to check the CROS, instead of sending business data.
So there is Preflight request comes in to play.
Preflight request:
![](https://images2015.cnblogs.com/blog/364241/201607/364241-20160704032439515-669658702.png)
It sends OPTIONS methoda and with "Referer", so server only needs to check "Referer" and return "ACAO".
To check whether a request is a Preflight request, you need to see whether it has "OPTIONS" method in the request head.
But notice, if a request is come from a form , then it cannot be preflight. See MORE
It uses methods other than
It sets custom headers in the request (e.g. the request uses a header such as
It is important to know that it is user broswere enforces the same origin policy, it is the client browser not allow you send the different origin request not the server.
CROS:
![](https://images2015.cnblogs.com/blog/364241/201607/364241-20160704031949921-1101521132.png)
Client side send the request, server side will check wheterh "Access-Control-Allow-Origin" is the same as "Referer".
One problem for this is request is already send to server, include all the data. What we want is from client side, we just sent the min-info to check the CROS, instead of sending business data.
So there is Preflight request comes in to play.
Preflight request:
![](https://images2015.cnblogs.com/blog/364241/201607/364241-20160704032439515-669658702.png)
It sends OPTIONS methoda and with "Referer", so server only needs to check "Referer" and return "ACAO".
To check whether a request is a Preflight request, you need to see whether it has "OPTIONS" method in the request head.
But notice, if a request is come from a form , then it cannot be preflight. See MORE
Preflighted requests
Unlike simple requests (discussed above), "preflighted" requests first send an HTTP request by theOPTIONSmethod to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data. In particular, a request is preflighted if:
It uses methods other than
GET, HEADor
POST. Also, if
POSTis used to send request data with a Content-Type other than
application/x-www-form-urlencoded,
multipart/form-data, or
text/plain, e.g. if the
POSTrequest sends an XML payload to the server using
application/xmlor
text/xml, then the request is preflighted.
It sets custom headers in the request (e.g. the request uses a header such as
X-PINGOTHER)
相关文章推荐
- Linux下高并发网络编程
- Linux下高并发网络编程
- 使用 libevent 和 libev 提高网络应用性能
- 使用 libevent 和 libev 提高网络应用性能
- "安卓网络请求图片三级缓存"-带您写一个自定义图片三级缓存.
- Linux配置支持高并发TCP连接(socket最大连接数)
- Linux配置支持高并发TCP连接(socket最大连接数)
- 基于ffmpeg网络播放器的教程与总结
- 基于ffmpeg网络播放器的教程与总结
- go语言原生http库分析 (2)
- Moya源码解析
- Retrofit2 + OkHttp3设置Http请求头(Headers)方法汇总
- 用Okhttp框架登录之后的Cookie设置到webView中(转)
- TCP三次握手和四次断开
- Java Web 学习笔记之二:Java HttpURLConnection保持会话的方法
- thinkphp整合系列之tcpdf类生成pdf文件
- HTTP协议理解与应用总结
- epoll 示例
- poll 示例
- 径向基网络(RBF network)之BP监督训练