CORS设置如何与Angular的XSRF保护一起使用?绝对URL只是被忽略,但我也需要XSRF来处理绝对URL。这不应该与HttpClientXsrfModule.withOptions()配置吗?这似乎是对代码的疏忽。
具体来说,我在Angular代码中看到了这一点:
https://github.com/angular/angular/blob/master/packages/common/http/src/xsrf.ts#L77-L84
// Skip both non-mutating requests and absolute URLs.
// Non-mutating requests don't require a token, and absolute URLs require special handling
// anyway as the cookie set
// on our origin is not the same as the token expected by another origin.
if (req.method === 'GET' || req.method === 'HEAD' || lcUrl.startsWith('http://') ||
lcUrl.startsWith('https://')) {
return next.handle(req);
}