Should non-2xx status code responses include CORS specific headers

帅比萌擦擦* 提交于 2021-02-07 20:15:51

问题


Should non-2XX status code responses still include CORS specific headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Max-Age? Does that even make any sense for clients?

For example:

➜  api git:(master) ✗ curl -i http://127.0.0.1:9000/dfas
HTTP/1.1 404 Not Found
Connection: close
Server: Node.js v6.3.1
Cache-Control: no-cache, no-store
Access-Control-Max-Age: 300
Access-Control-Allow-Origin: *
Content-Type: application/json
Content-Length: 60
Date: Thu, 11 Aug 2016 22:58:33 GMT

{"code":"ResourceNotFound","message":"/dfas does not exist"}

回答1:


Yes it makes sense to have the server send CORS headers even with non-2xx responses. The reason is that without the CORS headers in the response, the non-2xx response codes aren’t exposed to JavaScript clients (through Fetch or XHR). The response codes may show up in the devtools console but without the CORS headers the only thing the client JavaScript will be able to determine programmatically is that an error occurred—but not the response code for the error.

So if you want JavaScript clients to have the ability to do useful error handling based on the response code, the server should send CORS headers even in non-2xx responses.



来源:https://stackoverflow.com/questions/38907385/should-non-2xx-status-code-responses-include-cors-specific-headers

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!