在一个环境中,我们有一个带有方法GET的x-domain jquery ajax请求。没什么好看的。
jQuery.ajax({
type: 'GET',
url: url,
contentType:'text/plain',
xhrFields: {
withCredentials: true
},
success: function(data){
//stuffff
}
});
从tomcat或apache提供服务时工作正常。 GET保持GET,它不会被OPTIONS
预检GET https://qa.example.com HTTP/1.1
Host: somehost.example.com
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Accept: */*
Origin: http://example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: text/plain
DNT: 1
Referer: http://example.com
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,sr;q=0.6
Cookie: JSESSIONID=xxx
但是当静态文件托管在Akamai上(在不同的环境中)时,请求会使用完全相同的JS获得OPTIONS的预检。
OPTIONS https://stage.example.com HTTP/1.1
Accept: */*
Origin: https://someorigin.example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: content-type, accept
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: test-me.example.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
究竟是什么让浏览器以不同的方式处理这个x-domain请求的安全性只是因为它托管在CDN上?(我们对Akamai文件进行自定义DNS,因此它们看起来好像即将到来来自我们的域名)。另请注意,在这种情况下服务器不允许OPTIONS,我们没有访问权限,但根据这些规则,对于没有数据的简单GETS应该无关紧要:
Simple requests are requests that meet the following criteria:
• HTTP Method matches (case-sensitive) one of:
HEAD
GET
POST
• HTTP Headers matches (case-insensitive):
Accept
Accept-Language
Content-Language
Last-Event-ID
Content-Type, but only if the value is one of:
• application/x-www-form-urlencoded
• multipart/form-data
• text/plain
无论浏览器,Chrome,IE,FF如何处理简单的GET请求都会发生这种情况。