对于复杂请求,浏览器会先发送一个预检请求
curl -i 'https://ds.fe.test.sankuai.com/api/groupfission/rule/activityList?page=1&size=10&title=' \
-X 'OPTIONS' \
-H 'Accept: */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Access-Control-Request-Headers: access-token,client-id,swimlane' \
-H 'Access-Control-Request-Method: GET' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Origin: http://127.0.0.1:8080' \
-H 'Pragma: no-cache' \
-H 'Referer: http://127.0.0.1:8080/' \
-H 'swimlane: 38941-ujzun' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: cross-site' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36' \
--compressed
SpringMVC 判定是预检请求的逻辑:
SpringMVC 跨域 默认处理类:org.springframework.web.cors.DefaultCorsProcessor
没有cors 配置,直接返回。
HTTP/1.1 403 Forbidden
Server: openresty
Date: Thu, 21 Apr 2022 09:08:48 GMT
Content-Length: 20
Connection: keep-alive
M-TraceId: 5004084855451728121
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Invalid CORS request%
如果泳道配置了白名单,而主干没有,则在发预检请求时,由于缺失 header 固定字段导致打到主干。从而报跨域错误。
