本文参考了:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
概述
Access-Control-Allow-Credentials
唯一的合法值是小写的true(大小写敏感)。如果不需要credentials,直接不设置该header,不要设置false。
当XMLHttpRequest.withCredentials=true或Request.credential=include时,只有当CORS-actual request的response 中的Access-Control-Allow-Credentials为true时,browser才允许前端JavaScript代码读取response。
我们分各种情况看下跨域时Access-Control-Allow-Credentials对 CORS-actual request的response 的影响
跨域且不存在CORS-preflight request时
1. CORS-actual request 设置了credentials,则
a. CORS-actual request的response 设置了Access-Control-Allow-Credentials,则,browser正常读取该response
b. CORS-actual request的response 未设置Access-Control-Allow-Credentials,则,browser忽略掉该response
2. CORS-actual request 未设置credentials,则
a. CORS-actual request的response 是否设置Access-Control-Allow-Credentials并没有任何影响
跨域且存在CORS-preflight request时
一. CORS-preflight request的response 设置了Access-Control-Allow-Credentials,则
1. CORS-actual request 设置了credentials,则
a. CORS-actual request的response 设置了Access-Control-Allow-Credentials,则,browser正常读取该response
b. CORS-actual request的response 未设置Access-Control-Allow-Credentials,则,browser忽略掉该response
2. CORS-actual request 未设置credentials,则
a. CORS-actual request的response 是否设置Access-Control-Allow-Credentials并没有任何影响
二. CORS-preflight request的response 未设置Access-Control-Allow-Credentials,则
1. CORS-actual request 设置了credentials,则
a. CORS-actual request 直接无法请求,此时,根本就不存在CORS-actual request的response
2. CORS-actual request 未设置credentials,则
a. CORS-actual request的response 是否设置Access-Control-Allow-Credentials并没有任何影响
完