zoukankan      html  css  js  c++  java
  • 跨域API

    跨域API

    简单跨域请求
    只需要简单的设置允许跨域就可以了

    def set_default_headers(self):
            self.set_header('Access-Control-Allow-Origin', '*')
    

    满足下面条件的就是简单请求,否则就不是

    Simple requests
     
    A simple cross-site request is one that meets all the following conditions:
     
    The only allowed methods are:
    GET
    HEAD
    POST
    Apart from the headers set automatically by the user agent (e.g. Connection, User-Agent, etc.), the only headers which are allowed to be manually set are:
    Accept
    Accept-Language
    Content-Language
    Content-Type
    The only allowed values for the Content-Type header are:
    application/x-www-form-urlencoded
    multipart/form-data
    text/plain
    

    复杂跨域请求
    所有的非简单请求,比如content-Type:application/json的POST请求,CORS详解
    复杂的跨域请求,浏览器会先发起一个OPTIONS类型的验证请求,检查服务端是否允许即将发起的真正的请求类型(主要是Methods和headers),如果允许的话,就需要像下面这样设置设置对应的rul

    def set_default_headers(self):
            self.set_header('Access-Control-Allow-Origin', '*')
            self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS')
            self.set_header('Access-Control-Max-Age', 86400) #24 hours
            self.set_header('Access-Control-Allow-Headers', '*')
            #self.set_header('Content-type', 'application/json')
    

    服务端可以对不同的url配置不同的跨域信息,这也是网站安全的基本配置

    复杂请求的过程

    发起的OPTIONS请求:

    OPTIONS /resources/post-here/ HTTP/1.1
    Host: bar.other
    User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Connection: keep-alive
    Origin: http://foo.example
    Access-Control-Request-Method: POST
    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
    

    服务端对OPTIONS请求的响应:

    HTTP/1.1 200 OK
    Date: Mon, 01 Dec 2008 01:15:39 GMT
    Server: Apache/2.0.61 (Unix)
    Access-Control-Allow-Origin: http://foo.example
    Access-Control-Allow-Methods: POST, GET, OPTIONS
    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
    Access-Control-Max-Age: 86400
    Vary: Accept-Encoding, Origin
    Content-Encoding: gzip
    Content-Length: 0
    Keep-Alive: timeout=2, max=100
    Connection: Keep-Alive
    Content-Type: text/plain
    

    验证成功后发起真正的请求:

    POST /resources/post-here/ HTTP/1.1
    Host: bar.other
    User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Connection: keep-alive
    X-PINGOTHER: pingpong
    Content-Type: text/xml; charset=UTF-8
    Referer: http://foo.example/examples/preflightInvocation.html
    Content-Length: 55
    Origin: http://foo.example
    Pragma: no-cache
    Cache-Control: no-cache
    
    <?xml version="1.0"?><person><name>Arun</name></person>
    
    
    HTTP/1.1 200 OK
    Date: Mon, 01 Dec 2008 01:15:40 GMT
    Server: Apache/2.0.61 (Unix)
    Access-Control-Allow-Origin: http://foo.example
    Vary: Accept-Encoding, Origin
    Content-Encoding: gzip
    Content-Length: 235
    Keep-Alive: timeout=2, max=99
    Connection: Keep-Alive
    Content-Type: text/plain
    
    [Some GZIP'd payload]
    

    参考
    http://www.oschina.net/question/1014827_115277?sort=time
    http://blog.csdn.net/wangjun5159/article/details/49096445
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests

  • 相关阅读:
    20170930-构建之法:现代软件工程-阅读笔记
    结对-四则运算答题器-开发过程
    小米3Android开发学习笔记三
    小米3Android开发学习笔记二
    小米3Android开发学习笔记一
    maya学习之晶格变形
    只说说C++内联函数
    Flash 文件加载方案以及一些问题及解决(1)
    博客内容笔记
    Unity里关于[HideInInspector]23事
  • 原文地址:https://www.cnblogs.com/wancy86/p/5853620.html
Copyright © 2011-2022 走看看