Detailed cross-domain requests in option

Before the official cross-domain request, the browser will be needed to initiate a "PreFlight" (ie Option request), used to allow the server to allow the return method (such as get, post), the cross-domain access of Origin (source or domain), as well as the need Credentials (authentication information)

 

Three scenarios:

1. If the cross-domain request is Simple Request (simple request) is not triggered "PreFlight". Mozilla requirements is a simple request:

The following three must be true:

1. The only Get, Head, Post method

2. In addition to the browser itself in Http head plus information (such as Connection, User-Agent), developers can add these: Accept, Accept-Language, Content-Type ,. . . .

3. Content-Type can only take these values:

• application/x-www-form-urlencoded
• multipart/form-data
• text/plain

First, why there will be options request it?

 Cross-domain request, options from the browser request is initiated preflight request (preflight request) to detect whether the actual request can be accepted browser.

preflight request request packet header field has two need to focus on:

(1) Access-Control-Request-Method: The method of HTTP request notifying the server actually used;

(2) Access-Control-Request-Headers: Custom carried inform the server actually requested header field.

At the same time the server will add origin header, the client tells the server the address of the actual request. Based on information obtained from the server preflight request to judge whether to accept the next request practical.

Access-Control-Allow-Methods header field returned by the server for all enabled request methods to inform the client returns all Access-Control-Request-Headers header field of all custom allowed header field tells the client. In addition, the server may return Access-Control-Max-Age header field, allows the browser to a specified time, without having to request retransmission preflight, this result can be used directly.

That appear in our development process initiated options from the browser request is the second case above. In fact, the cross-domain requests in a "complex request" will be issued before the method is one of the options preflight request.

Second, when the request is a simple cross-domain request does not carry out preflight request, complex requests will only be preflight request.

Cross-domain request in two ways: a simple request, complex requests;

Either of the following conditions is complex requests:

1. Delete or put to use;

2. json data transmission format (content-type: application / json)

3. with a custom request header;

In addition to satisfying the above conditions complicated request the other is a simple request myself!

Third, why the complex cross-domain requests require preflight request?

Complex requests may have adverse effect on the data server. For example, delete or put, will modify the data on the server, so they have to ask the server before the request, after the current page where the domain name is in the list of license server, allowing the server, the browser will issue a formal request, or not send a formal request.