CORS

Cross-Origin Resource Sharing (CORS)

Share credentials with CORS

If you want to send cookies when using CORS (which could identify the sender), you need to add additional headers to the request and response.

Request #
Add credentials: 'include' to the fetch options like below. This will include the cookie with the request.

Response #
Access-Control-Allow-Origin must be set to a specific origin (no wildcard using *) and must set Access-Control-Allow-Credentials to true.

Preflight requests for complex HTTP calls #

The CORS specification defines a complex request as

◆A request that uses methods other than GET, POST, or HEAD

◆A request that includes headers other than Accept, Accept-Language or Content-Language

◆A request that has a Content-Type header other than application/x-www-form-urlencoded, multipart/form-data, or text/plain

Browsers create a preflight request if it is needed. It's an OPTIONS request like below and is sent before the actual request message.

The server response can also include an Access-Control-Max-Age header to specify the duration (in seconds) to cache preflight results so the client does not need to make a preflight request every time it sends a complex request.

CORS只存在於瀏覽器，因為這是由於瀏覽器雖然收到正常回覆但阻擋