根据文档,对于简单的请求,预检不应该发生:https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS).
如果我不在请求中添加额外的“Authorization”标头,情况确实如此:
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic _base64_string_"
没有“授权”标头:
:authority:www.target.com
:method:POST //<----------------This is correct
:path:/oauth2/access_token?client_id=xxx-xxx
:scheme:https
accept:application/json, text/plain, */*
accept-encoding:gzip, deflate, br
accept-language:en-US,en;q=0.8,fr;q=0.6
content-length:79
content-type:application/x-www-form-urlencoded//<----------------This is correct
origin:http://source.com:4200
referer:http://source.com:4200/
通过“Authorization”标头,OPTIONS 方法会自动设置:
:authority:www.target.com
:method:OPTIONS //<----------------This is NOT correct, caused by Authorization header
:path:/oauth2/access_token?client_id=xxx-xxx
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8,fr;q=0.6
access-control-request-headers:authorization
access-control-request-method:POST
origin:http://source.com:4200
referer:http://source.com:4200/
由于这个问题,我无法授权我的应用程序,服务器响应是:
HTTP method 'OPTIONS' is not allowed. Expected 'POST'
因此,“Authorization”标头似乎触发了 CORS 中的预检。
有人能解释一下吗?