Nginx CORS 配置

616 字
3 分钟
Nginx CORS 配置

浏览器同源策略#

浏览器安全的基石是”同源策略”(same-origin policy). “同源”指的是”三个相同”:

  • 协议相同
  • 域名相同
  • 端口相同

如果非同源,共有三种行为受到限制。

  • CookieLocalStorageIndexDB无法读取
  • DOM无法获得
  • AJAX请求不能发送

CORS原理解析#

CORS是跨源AJAX请求的根本解决方法. JSONP只能发GET请求, 但是CORS允许任何类型的请求.

整个CORS通信过程都是浏览器自动完成的, 不需要用户参与. 对于开发者来说, CORS通信与同源的AJAX通信没有差别, 代码完全一样. 浏览器一旦发现AJAX请求跨源,就会自动添加一些附加的头信息,有时还会多一次附加的请求,但用户不会有感觉。因此,实现CORS通信的关键是**服务器. **只要服务器支持 CORS, 就可以跨源通信.

简单请求和非简单请求#

Simple requests

直接在请求时加上 Origin 的 header

Untitled 50
Untitled 50

Preflighted requests

发出请求前, 会发起一次 OPTION 请求

Untitled 51
Untitled 51

Nginx CORS 配置#

add_header不是所有返回都会追加,只限特定状态码的返回才有效,如果想所有返回都生效需要加上always选项参数

官方的解释

Syntax: add_header name value [always];
Default: —
Context: http, server, location, if in location
# 配置示例
location /path {
proxy_pass target;
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Request-Method' 'GET,POST,OPTIONS,DELETE,PUT' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
}

CORS 响应头说明#

header是否必填说明
Access-Control-Allow-OriginYAccess-Control-Allow-Origin 它的值要么是请求时Origin字段的值,要么是一个*,表示接受任意域名的请求, 不推荐*
Access-Control-Allow-CredentialsNThe Access-Control-Allow-Credentials header indicates whether or not the response to the request can be exposed when the credentials flag is true.
Access-Control-Expose-HeadersNThe Access-Control-Expose-Headers header adds the specified headers to the allowlist that JavaScript (such as Response.headers) in browsers is allowed to access.
Access-Control-Allow-HeadersYThe Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request.
Access-Control-Allow-MethodsYThe Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request.
Access-Control-Max-AgeNThe Access-Control-Max-Age header indicates how long the results of a preflight request can be cached.

CORS 请求头说明#

header说明
OriginThe Origin header indicates the origin of the cross-origin access request or preflight request.
Access-Control-Request-MethodThe Access-Control-Request-Method is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.
Access-Control-Request-HeadersThe Access-Control-Request-Headers header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (for example, by passing them as the headers option to the Request() constructor). This browser-side header will be answered by the complementary server-side header of Access-Control-Allow-Headers.

📎 参考文章#

文章分享

如果这篇文章对你有帮助,欢迎分享给更多人!

Nginx CORS 配置
https://blog.sephy.top/posts/nginx-cors-配置/
作者
虾米
发布于
2024-02-24
许可协议
CC BY-NC-SA 4.0
随机文章随机推荐
Profile Image of the Author
虾米
coder
分类
标签
站点统计
文章
61
分类
4
标签
52
总字数
64,663
运行时长
0
最后活动
0 天前
站点信息
构建平台
GitHub Actions
博客版本
Firefly v6.13.9
文章许可
CC BY-NC-SA 4.0