背景概述
嵌入到h5页面的埋点日志上报不可避免会涉及到跨域问题。
一.客户端
带cookie的ajax改造
withCredentials: true
crossDomain: true
二.服务端
1.需要带COOKIE的
Access-Control-Allow-Origin: http://xxx.xxx.com
Access-Control-Allow-Headers: Content-Type
Access-Control-Expose-Headers: Authorization, authenticated
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, OPTIONS
Access-Control-Allow-Credentials: true
2.不需要带COOKIE的
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, OPTIONS
Access-Control-Allow-Origin: *
注意事项
当withCredentials=true 的时候,接口跨域返回Access-Control取值不能带*,否则安全校验会不通过(Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true)。因此h5在ajax请求的时候要拿捏好那些域名需要cookie,需要加withCredentials=true,不能全局都加