Restrictions and resolution of CORS across domains

Understanding across domains

Cross-domain behavior is browser behavior, a cross-domain request actual has been sent to the server, the server has returned to the news, but the browser is received to return information, found that the information is not homologous request and not allow cross-domain limitation, so will this news in the parse the message screen at the same time in the console error.

The solution

Front-end solution

Using the feature that browsers allow tags to cross domains, such as JOSNP, but JSONP can only request data using the GET method, the principle and implementation of JSONP

Backend solutions

Add Access-Control-Allow-Origin header that allows cross domains

'Access-Control-Allow-Origin':'*' // Allows cross-domain requests from all sites, and can also be set to a specific site

CORS requests in advance

If the default Methods, content-type, and Headers are used in a cross-domain request, the browser will first issue a request with the OPTIONS method to verify that it has passed.

A method that allows requests across domains

By default, the browser allows cross-domain request only with GET HEAD POST. If you need to add more multi-party rules, you need to add Access-Control-Allow-Methods in the server side

'Access-Control-Allow-Methods':'DELETE, PUT '// Allow cross-domain requests from all sites, and can also be set to a specific site

Allows cross-domain requestsContent-Type

The browser default allows cross-domain request of the Content-Type only text/plain multipart/form-data application/x-www-form-urlencoded

Custom request headers

If a custom header is added to the request method, the client will report a cross-domain error if the server does not set the corresponding header to Access-Control-Allow-Heards

'Access-Control-Allow-heards ':' X-test-cors' // X-test-cors is a custom header

Access-Control-Max-AgeTime allowed for pre-request

'Access-Control-Max-Age':'1000'

Methods, Content-Type, and Headers that have passed the pre-request within 1000s do not need to re-pre-request validation