Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/matlab/14.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Chrome未阻止无效的CORS请求_Cors - Fatal编程技术网
Fatal编程技术网
  • cors/
  • Chrome未阻止无效的CORS请求

Chrome未阻止无效的CORS请求

cors

Chrome未阻止无效的CORS请求,cors,Cors,我对CORS请求有问题,我认为应该拒绝该请求,但Chrome、Firefox和IE正在接受该请求。wireshark的请求是: GET /postcode/rest/postcodeSearch?&provider=&postcode=PL6+7TL HTTP/1.1 Host: devtestl1:5706 Connection: keep-alive Accept: application/json, text/javascript, */*; q=0.01 Origin:

我对CORS请求有问题,我认为应该拒绝该请求,但Chrome、Firefox和IE正在接受该请求。wireshark的请求是:

GET /postcode/rest/postcodeSearch?&provider=&postcode=PL6+7TL HTTP/1.1
Host: devtestl1:5706
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:5506
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
DNT: 1
Referer: http://localhost:5506/icm/admin/articles/dopreview.cfm?InEditorPreview=false&NodeID=1&Browser=NS6&HTMLEditor=TRUE&FlashTreePluginLocated=12&SubsiteName=&WYSIWYGEditControl=TEMPLATE&bMobileSimulator=False
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en,en-GB;q=0.8
答复是:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:5506
Access-Control-Allow-Method: POST
Access-Control-Max-Age: 60
Access-Control-Allow-Headers: Content-Type,Authorization,X-Api-Session,X-Api-Key,X-Api-Token
Access-Control-Expose-Headers: Content-Type,X-Api-Session,X-Api-Token
Content-Type: application/json; charset=utf-8
Content-Length: 669
Date: Tue, 18 Feb 2014 11:14:57 GMT
Connection: keep-alive

{"result":[{"udprn":"18994206","company":"Delta Engineering Plymouth LLP","department":"","line1":"Darklake View","line2":"Estover","line3":"","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"},{"udprn":"18994215","company":"Goss Interactive Ltd","department":"","line1":"24 Darklake View","line2":"Estover","line3":"","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"},{"udprn":"18994208","company":"Jennycrafts","department":"","line1":"Cranmere House","line2":"21 Darklake View","line3":"Estover","line4":"","line5":"","town":"Plymouth","county":"Devon","postcode":"PL6 7TL"}],"_transport_":{"statusCode":200}}
返回的邮政编码数据将显示在浏览器中,即使GET请求以“Access Control Allow Method:POST”标题响应。 据我所知,浏览器应该放弃整个响应

为什么允许这种回应

谢谢,
安迪,我想我现在明白问题所在了。访问控制允许方法标头仅与选项飞行前消息一起使用。似乎应该在服务器上根据方法做出拒绝请求的决定。这同样适用于Access Control Allow Headers标头。

请求是如何启动的?没错。由于您的请求是没有任何自定义头的GET请求,因此没有飞行前请求。您的服务器应该防范这些类型的请求。请注意,有些人可以在不使用CORS的情况下跨域发出GET请求,例如,使用img或src标记。