AJAX在通常情况下有一个限制,即不能访问“站外”资源,即要访问的资源必须和发起AJAX请求的页面同属一个域名。
为了解决这一问题,W3C推荐了Cross-Origin Resource Sharing (CORS)机制。
访问的控制权显然是由资源提供方(外站)来控制。
最简单的跨域请求看起来如下:
GET /some/resource HTTP/1.1 # Request Host: othersite.net Origin: http://mysite.net HTTP/1.1 200 OK # Response Access-Control-Allow-Origin: * ... ...
Origin头部字段的请求,表明自己所属的域名。Access-Control-Allow-Origin字段。如果满足下列条件之一,则会启用"preflight"模式。
"preflight"模式实质上是在请求之前先对服务器进行了一次询问以获得相应信息。
OPTIONS /some/resource HTTP/1.1 # Preflight Request Host: othersite.net Origin: http://mysite.net Access-Control-Request-Method: POST Access-Control-Request-Headers: X-User HTTP/1.1 200 OK # Preflight Response Access-Control-Allow-Origin: http://mysite.net # Allowed Domain Access-Control-Allow-Methods: POST, GET, OPTIONS # Allowed Method Access-Control-Allow-Headers: X-User # Allowed Headers Access-Control-Max-Age: 1728000 # Preflight Cache ... Normal Request & Response Below ... POST /some/resource HTTP/1.1 # Simple Request Host: othersite.net Origin: http://mysite.net X-User: noyesno HTTP/1.1 200 OK # Simple Response Access-Control-Allow-Origin: *
根据以上原理,要让一个服务器支持跨域请求,则可以概括为添加如下响应头(Response Header):
Access-Control-Allow-Origin: *; Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type Access-Control-Max-Age: 3600 # 1 hour