Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch the user's data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows.
The browser sends the OPTIONS request with an Origin HTTP header to service.example.com containing the domain that served the parent page:
Origin: http://www.example.com
The server at service.example.com may respond with:An Access-Control-Allow-Origin (ACAO) header in its response indicating which origin sites are allowed. For example:
Access-Control-Allow-Origin: http://www.example.com
Since www.example.com matches the parent page, the browser then performs the cross-origin request.
jsonp只支持GET请求 ,cors相比于jsonp 支持更广泛
package com.baselogic.boot.corsdemo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.filter.GenericFilterBean;
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* CORS Filter
*
* This filter is an implementation of W3C's CORS
* (Cross-Origin Resource Sharing) specification,
* which is a mechanism that enables cross-origin requests.
*
*/
public class CORSFilter extends GenericFilterBean implements Filter {
private Logger logger = LoggerFactory.getLogger(this.getClass());
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Access-Control-Allow-Origin", "*");
// httpResponse.setHeader("Access-Control-Allow-Methods", "*");
httpResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
// httpResponse.setHeader("Access-Control-Allow-Headers", "*");
httpResponse.setHeader("Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept, X-Auth-Token, X-Csrf-Token, WWW-Authenticate, Authorization");
httpResponse.setHeader("Access-Control-Expose-Headers", "custom-token1, custom-token2");
httpResponse.setHeader("Access-Control-Allow-Credentials", "false");
httpResponse.setHeader("Access-Control-Max-Age", "3600");
StringBuilder sb = new StringBuilder();
sb.append("
CORS HEADERS:
");
sb.append("---------------
");
httpResponse.getHeaderNames()
.forEach(name -> {
sb.append(name).append(": ").append(httpResponse.getHeader(name)).append("
");
}
);
logger.debug("********** CORS Configuration Completed **********");
logger.debug(sb.toString());
chain.doFilter(request, response);
}
}
reference:
https://github.com/mickknutson/corsdemo
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
转载请注明出处 https://www.cnblogs.com/lnas01/p/10343165.html