关于跨域资源中这两个误会了两次的字段
Never step into a same pit three times.
access-control-allow-headers
access-control-expose-headers

about cors

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.
CORS 即跨域资源共享, 它允许浏览器请求和不同源服务器的资源.

concept

  1. a preflight request 指的就是 CORS 过程中发起的 OPTIONS 请求
  2. the actual request 指的就是实际发出的请求

access-control-allow-headers

Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.
指的是在 the actual request 的请求中可以带上哪些头部

access-control-expose-headers

The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification.
指的是浏览器发出 the actual request 得到 response, 浏览器可以使用/读取哪些 response 中的 headers

playground

nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
worker_processes 1;
daemon off;
error_log nginx_error.log;
events {
    worker_connections 1024;
}

http {
    server {
        listen 8008;

        location = /test {


            if ($request_method = 'OPTIONS') {
                add_header Access-Control-Allow-Origin * always;
                add_header 'Access-Control-Allow-Credentials' 'true' always;
                add_header 'Access-Control-Allow-Methods' 'GET,OPTIONS' always;

                add_header 'Access-Control-Allow-Headers' 'brower-can-bring-this-header' always;
                add_header 'Access-Control-Expose-Headers' 'brower-can-read-this-header' always;


                add_header 'Content-Type' 'text/plain charset=UTF-8' always;
                add_header 'Content-Length' 0 always;
                return 204;
            }

            return 200 'Hello World';
        }
    }
}