我遇到了CORS请求的问题,我认为应该被拒绝,但Chrome,Firefox和IE都接受了。来自wireshark的请求是:
GET /postcode/rest/postcodeSearch?&provider=&postcode=PL6+7TL HTTP/1.1
Host: devtestl1:5706
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:5506
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
DNT: 1
Referer: http://localhost:5506/icm/admin/articles/dopreview.cfm?InEditorPreview=false&NodeID=1&Browser=NS6&HTMLEditor=TRUE&FlashTreePluginLocated=12&SubsiteName=&WYSIWYGEditControl=TEMPLATE&bMobileSimulator=False
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en,en-GB;q=0.8
回复是:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:5506
Access-Control-Allow-Method: POST
Access-Control-Max-Age: 60
Access-Control-Allow-Headers: Content-Type,Authorization,X-Api-Session,X-Api-Key,X-Api-Token
Access-Control-Expose-Headers: Content-Type,X-Api-Session,X-Api-Token
Content-Type: application/json; charset=utf-8
Content-Length: 669
Date: Tue, 18 Feb 2014 11:14:57 GMT
Connection: keep-alive
{"result":[{"udprn":"18994206","company":"Delta Engineering Plymouth LLP","department":"","line1":"Darklake View","line2":"Estover","line3":"","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"},{"udprn":"18994215","company":"Goss Interactive Ltd","department":"","line1":"24 Darklake View","line2":"Estover","line3":"","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"},{"udprn":"18994208","company":"Jennycrafts","department":"","line1":"Cranmere House","line2":"21 Darklake View","line3":"Estover","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"}],"_transport_":{"statusCode":200}}
即使使用“Access-Control-Allow-Method:POST”标题响应GET请求,返回的邮政编码数据也会显示在浏览器中。 据我所知,浏览器应该丢弃整个响应。
为什么允许此回复?
谢谢, 安迪
答案 0 :(得分:0)
我想我现在看到了问题。 Access-Control-Allow-Method标头仅用于OPTIONS预飞行消息。似乎应该在服务器上做出基于该方法拒绝请求的决定。这同样适用于Access-Control-Allow-Headers标头。