在前后端分离的项目中,以往跨域一般采用JSONP的方式,但是JSONP只支持GET请求,所以现在一般都不会采用JSONP的方式来处理跨域了。现在基本都是使用CORS的方式,要么在nginx中配置,如
add_header 'Access-Control-Allow-Origin' *;add_header 'Access-Control-Allow-Methods' *;
要么就在后台服务器中配置response.setHeader("Access-Control-Allow-Origin", "*");......以往只知道copy过来就Ok了,从未思考过这些参数的代表的意思。直到最近在钉钉应用的开发中踩到了坑,最终发现还是Access-Control-Allow-Headers配置为*导致不生效。所以对CORS做了较为深入的了解以及整理。
image
SpringBoot2.x版本关于CORS的配置
@Configuration
public class WebConfiguration implements WebMvcConfigurer {
/**
* 跨域设置
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowCredentials(true)
.allowedMethods("*")
.allowedHeaders("*");
}
}
SpringBoot1.x版本
@WebFilter(filterName = "corsFilter")
@Configuration
public class CorsFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin","*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "*");
response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
chain.doFilter(req, res);
}
}
参考
https://www.w3.org/TR/cors/
http://www.ruanyifeng.com/blog/2016/04/cors.html
