我为/api/test建立了一个可靠的角色:
Allow-Origin: http://localhost:8133
Allow-Headers: X-MyHeader
Allow-Method: Get
即
services.AddCors(options =>
{
options.AddPolicy("default", policy =>
{
policy.WithOrigins("http://localhost:8133")
.WithHeaders("X-MyHeader")
.WithMethods("GET");
});
});
和
app.UseCors("default");
如果我使用axios向/api/test发送带有标头X-MyHeader的获取请求,则会发送OPTIONS请求,例如
Access-Control-Request-Headers: x-myheader
Access-Control-Request-Method: GET
Host: localhost:8132
Origin: http://localhost:8133
我收到了回复
Access-Control-Allow-Headers: x-myheader
Access-Control-Allow-Origin: http://localhost:8133
Date: {whatever}
server: {whatever}
为什么缺少Access-Control-Allow-Method标头?
现在,如果我添加另一个标题,例如X-NotSupportedHeader,例如
Access-Control-Request-Headers: x-notsupportedheader
Access-Control-Request-Method: GET
Host: localhost:8132
Origin: http://localhost:8133
我的回答是
Date: {whatever}
server: {whatever}
在控制台中我们得到了
XMLHttpRequest cannot load http://localhost:8132/api/test. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8133' is therefore not allowed access.
如果任何条件失败,为什么没有设置Access-Control-Allow-*标头?