问题描述
没有自定义标头的简单 GET 请求.响应按预期返回.可以访问正文中的数据,但不能访问标题.
A simple GET request with no custom headers. The response is returned as expected. The data in the body is accessible, but not the headers.
当我尝试访问etag"标头时,浏览器会引发异常:
When I try to access the "etag" header, browsers raise an exception :
拒绝获取不安全的标头etag"
Refused to get unsafe header "etag"
Chrome、Safari 和 Firefox 的行为都相同.我没有在IE上测试过.
Chrome, Safari and Firefox all behave the same. I didn't test it on IE.
我在这里错过了什么?
推荐答案
使用 CORS 时只暴露简单的响应头.这里定义了简单的响应头.ETag 不是一个简单的响应头.如果要暴露非简单的标头,则需要设置 Access-Control-Expose-Headers 标头,如下所示:
Only simple response headers are exposed when using CORS. Simple response headers are defined here. ETag is not a simple response headers. If you want to expose non-simple headers, you need to set the Access-Control-Expose-Headers header, like so:
Access-Control-Expose-Headers: ETag
但是,请注意,我注意到 Chrome、Safari 和 Firefox 中的错误会阻止非简单标头正确公开.这可能现在已经解决了,我不确定.
However, note that I've noticed bugs in Chrome, Safari and Firefox that prevent non-simple headers from being exposed correctly. This may be fixed by now, I'm not sure.
您不需要进行预检请求,因为只有非 GET/POST http 方法或非简单的 request 标头才需要预检(并且您正在询问 response 标题).
You shouldn't need to do a preflight request, since preflight is only required for non-GET/POST http methods or non-simple request headers (and you are asking about response headers).
这篇关于跨域资源共享 GET:'拒绝获取不安全的标头“etag"'从响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!