How can I identify a CORS preflight request?

后端 未结 2 1609
慢半拍i
慢半拍i 2021-01-21 13:51

A CORS preflight request obviously uses the OPTIONS method and has an Origin header. However, a browser can decide for any HTTP request to add an Origin header. Also, O

2条回答
  •  挽巷
    挽巷 (楼主)
    2021-01-21 14:16

    Check for the existence of these essential information present in a preflight request:

    1. The request's HTTP method is OPTIONS
    2. It has an Origin header
    3. It has an Access-Control-Request-Method header, indicating what's the actual method it's trying to use to consume your service/resource

    Considerations

    In theory you you could be a so clever and manually set those headers and try to make some fake-Preflight request for some reason.

    However, your browser would complain with the following sample message: Refused to set unsafe header "Origin" (tested as an XHR request on Chrome) while other apps, such as Postman will set their own Origin as, say Origin: chrome://extension...

提交回复
热议问题