Preflight request is sent with all methods

前端未结

关注

 2  1125

醉梦人生 2020-12-15 09:31

My FE application is using API from different domain. I know that it should trigger CORS, but as I understood it shouldn\'t create preflight for every request.

Accor

2条回答

[愿得一人] (楼主)

2020-12-15 10:05
The cross-domain issue typically occurs when the application is hosted on one domain, the web service is hosted on a different domain and we are trying to make an Ajax call to get the response. An Ajax call to our web services ended with a CORS error.The HTTP method that was invoked was OPTIONS and not GET or POST.

Resolving this issue was one aspect but we still needed to retain the security authentication. Otherwise, we would end up exposing an unauthenticated web service which is a threat.
```
if (request.getMethod().equals("OPTIONS") && request.getHeader(ORIGIN).equals(FRONTEND_URL))
{
response.setHeader("Access-Control-Allow-Origin", FRONTEND_URL);
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, HEAD");
response.setHeader("Access-Control-Allow-Headers",request.getHeader("Access-Control-Request-Headers"));
}
```
0 讨论(0)

查看其它2个回答
发布评论:

提交评论
- 加载中...