Request header field cache-control is not allowed by Access-Control-Allow-Headers in preflight respo

Copyright: the voice of experience, I do not know whether the change package spicy bar, and the other, please indicate the source. https://blog.csdn.net/zhezhebie/article/details/90693220

When the front and rear end interactive experience cross-domain problem, I use a front-end direct postman code inside the code, and then being given, because I allow the back end of the first header which does not contain a cache-control and postman-token , it will explode the following errors:

element.style {
}
user agent stylesheet
body {
    display: block;
    margin: 8px;
}

index.html:1 Access to XMLHttpRequest at 'http://xxx:88/api/xx/index' from origin 'http://test.com' has been blocked by CORS policy: Request header field cache-control is not allowed by Access-Control-Allow-Headers in preflight response.

Front-end test code:

<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title>Document</title>
</head>
<body>
	<h1>123124</h1>
</body>
<script src="https://cdn.bootcss.com/jquery/3.4.1/jquery.min.js"></script>
<script>
	var form = new FormData();
	form.append("email", "[email protected]");
	form.append("password", "password");

	var settings = {
	  "async": true,
	  "crossDomain": true,
	  "url": "http://xxx/api/product/index",
	  "method": "GET",
	  "headers": {#就是这里导致上面的错误
	    "Cache-Control": "no-cache",
	    "Postman-Token": "6a627352-c28b-4853-b59a-1f6f753e66e6"
	  },
	  "processData": false,
	  "contentType": false,
	  "mimeType": "multipart/form-data",
	  "data": form
	}

	$.ajax(settings).done(function (response) {
	  console.log(response);
	});
</script>
</html>

There are two solutions:

1. The front end of which a request to remove the headers and the inside cache-control postman-token

1. Inside the rear end of middleware which allows cache-control headers and postman-token

<?php

namespace App\Http\Middleware;

use Closure;

class CrossHttp {
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next) {
        $response = $next($request);
        $response->header('Access-Control-Allow-Origin', '*');
        $response->header('Access-Control-Allow-Headers', 'Origin, Content-Type, cache-control,postman-token,Cookie, Accept');#注意这里
        $response->header('Access-Control-Allow-Methods', 'GET, POST, PATCH, PUT, OPTIONS');
        // $response->header('Access-Control-Allow-Credentials', 'true');
        return $response;
    }

}

Again requests can be.