Access-Control-Allow-Originis a CORS (Cross-Origin Resource Sharing) header.

Access-Control-Allow-Origin是一个CORS（跨源资源共享）标头。

When Site A tries to fetch content from Site B, Site B can send an Access-Control-Allow-Originresponse header to tell the browser that the content of this page is accessible to certain origins. (An originis a domain, plus a scheme and port number.) By default, Site B's pages are not accessible to any other origin; using the Access-Control-Allow-Originheader opens a door for cross-origin access by specific requesting origins.

当站点 A 尝试从站点 B 获取内容时，站点 B 可以发送Access-Control-Allow-Origin响应标头以告诉浏览器该页面的内容可由某些来源访问。（源是域，加上方案和端口号。）默认情况下，任何其他源都无法访问站点 B 的页面；使用Access-Control-Allow-Origin标头为特定请求源的跨源访问打开了一扇门。

For each resource/page that Site B wants to make accessible to Site A, Site B should serve its pages with the response header:

对于站点 B 想让站点 A 访问的每个资源/页面，站点 B 应为其页面提供响应标头：

Access-Control-Allow-Origin: http://siteA.com

Modern browsers will not block cross-domain requests outright. If Site A requests a page from Site B, the browser will actually fetch the requested page on the network leveland check if the response headers list Site A as a permitted requester domain. If Site B has not indicated that Site A is allowed to access this page, the browser will trigger the XMLHttpRequest's errorevent and deny the response data to the requesting JavaScript code.

现代浏览器不会完全阻止跨域请求。如果站点 A 从站点 B 请求页面，浏览器实际上会在网络级别获取请求的页面，并检查响应头是否将站点 A 列为允许的请求者域。如果站点 B 未指示站点 A 被允许访问此页面，则浏览器将触发XMLHttpRequest'serror事件并拒绝对请求 JavaScript 代码的响应数据。

Non-simple requests

非简单请求

What happens on the network level can be slightlymore complex than explained above. If the request is a "non-simple" request, the browser first sends a data-less "preflight" OPTIONS request, to verify that the server will accept the request. A request is non-simple when either (or both):

在网络级别发生的事情可能比上面解释的稍微复杂一些。如果请求是“非简单”请求，浏览器首先发送一个无数据的“预检”OPTIONS 请求，以验证服务器是否会接受该请求。当其中一个（或两者）：

• using an HTTP verb other than GET or POST (e.g. PUT, DELETE)
• using non-simple request headers; the only simple requests headers are:
  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type(this is only simple when its value is application/x-www-form-urlencoded, multipart/form-data, or text/plain)

• 使用 GET 或 POST 以外的 HTTP 动词（例如 PUT、DELETE）
• 使用非简单的请求头；唯一的简单请求标头是：
  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type（这仅在其值为application/x-www-form-urlencoded、multipart/form-data、 或时才简单text/plain）

If the server responds to the OPTIONS preflight with appropriate response headers (Access-Control-Allow-Headersfor non-simple headers, Access-Control-Allow-Methodsfor non-simple verbs) that match the non-simple verb and/or non-simple headers, then the browser sends the actual request.

如果服务器使用与非简单动词和/或非简单标题匹配的适当响应标题（Access-Control-Allow-Headers对于非简单标题，Access-Control-Allow-Methods对于非简单动词）响应 OPTIONS 预检，则浏览器发送实际请求。

Supposing that Site A wants to send a PUT request for /somePage, with a non-simple Content-Typevalue of application/json, the browser would first send a preflight request:

假设站点 A 想要发送一个 PUT 请求/somePage，带有一个非简单Content-Type值application/json，浏览器将首先发送一个预检请求：

OPTIONS /somePage HTTP/1.1
Origin: http://siteA.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Content-Type

Note that Access-Control-Request-Methodand Access-Control-Request-Headersare added by the browser automatically; you do not need to add them. This OPTIONS preflight gets the successful response headers:

注意Access-Control-Request-Method和Access-Control-Request-Headers是浏览器自动添加的；您不需要添加它们。此 OPTIONS 预检获得成功的响应标头：

Access-Control-Allow-Origin: http://siteA.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type

When sending the actual request (after preflight is done), the behavior is identical to how a simple request is handled. In other words, a non-simple request whose preflight is successful is treated the same as a simple request (i.e., the server must still send Access-Control-Allow-Originagain for the actual response).

发送实际请求时（预检完成后），行为与处理简单请求的方式相同。换句话说，预检成功的非简单请求被视为与简单请求相同（即，服务器仍必须Access-Control-Allow-Origin再次发送以获得实际响应）。

The browsers sends the actual request:

浏览器发送实际请求：

PUT /somePage HTTP/1.1
Origin: http://siteA.com
Content-Type: application/json

{ "myRequestContent": "JSON is so great" }

And the server sends back an Access-Control-Allow-Origin, just as it would for a simple request:

然后服务器发回一个Access-Control-Allow-Origin，就像发送一个简单的请求一样：

Access-Control-Allow-Origin: http://siteA.com

See Understanding XMLHttpRequest over CORSfor a little more information about non-simple requests.

有关非简单请求的更多信息，请参阅了解 CORS上的XMLHttpRequest。

Cross-Origin Resource Sharing - CORS(A.K.A. Cross-Domain AJAX request) is an issue that most web developers might encounter, according to Same-Origin-Policy, browsers restrict client JavaScript in a security sandbox, usually JS cannot directly communicate with a remote server from a different domain. In the past developers created many tricky ways to achieve Cross-Domain resource request, most commonly using ways are:

Cross-Origin Resource Sharing - CORS(AKA Cross-Domain AJAX request) 是大多数 Web 开发者可能会遇到的问题，根据 Same-Origin-Policy，浏览器将客户端 JavaScript 限制在安全沙箱中，通常 JS 无法直接与远程服务器通信来自不同的域。过去开发者创造了许多棘手的方式来实现跨域资源请求，最常用的方式是：

1. Use Flash/Silverlight or server side as a "proxy" to communicate with remote.
2. JSON With Padding (JSONP).
3. Embeds remote server in an iframe and communicate through fragment or window.name, refer here.

1. 使用 Flash/Silverlight 或服务器端作为“代理”与远程通信。
2. 带填充的 JSON ( JSONP)。
3. 在 iframe 中嵌入远程服务器并通过 fragment 或 window.name 进行通信，请参阅此处。

Those tricky ways have more or less some issues, for example JSONP might result in security hole if developers simply "eval" it, and #3 above, although it works, both domains should build strict contract between each other, it neither flexible nor elegant IMHO:)

那些棘手的方法或多或少都有一些问题，例如，如果开发人员简单地“评估”JSONP 可能会导致安全漏洞，以及上面的#3，虽然它有效，但两个域之间应该建立严格的契约，既不灵活也不优雅恕我直言：）

W3C had introduced Cross-Origin Resource Sharing (CORS) as a standard solution to provide a safe, flexible and a recommended standard way to solve this issue.

W3C 引入了跨域资源共享 (CORS) 作为标准解决方案，以提供一种安全、灵活且推荐的标准方法来解决此问题。

The Mechanism

机制

From a high level we can simply deem CORS is a contract between client AJAX call from domain A and a page hosted on domain B, a typical Cross-Origin request/response would be:

从高层次我们可以简单地认为 CORS 是来自域 A 的客户端 AJAX 调用和域 B 上托管的页面之间的契约，典型的跨域请求/响应将是：

DomainA AJAX request headers

DomainA AJAX 请求标头

Host DomainB.com
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json
Accept-Language en-us;
Accept-Encoding gzip, deflate
Keep-Alive 115
Origin http://DomainA.com 

DomainB response headers

DomainB 响应头

Cache-Control private
Content-Type application/json; charset=utf-8
Access-Control-Allow-Origin DomainA.com
Content-Length 87
Proxy-Connection Keep-Alive
Connection Keep-Alive

The blue parts I marked above were the kernal facts, "Origin" request header "indicates where the cross-origin request or preflight request originates from", the "Access-Control-Allow-Origin" response header indicates this page allows remote request from DomainA (if the value is * indicate allows remote requests from any domain).

我在上面标记的蓝色部分是内核事实，“Origin”请求标头“表示跨域请求或预检请求的来源”，“Access-Control-Allow-Origin”响应标头表示此页面允许远程请求来自DomainA（如果值为 * 表示允许来自任何域的远程请求）。

As I mentioned above, W3 recommended browser to implement a "preflight request" before submiting the actually Cross-Origin HTTP request, in a nutshell it is an HTTP OPTIONSrequest:

正如我上面提到的，W3 建议浏览器在提交实际跨域 HTTP 请求之前实现“预检请求”，简而言之，它是一个 HTTPOPTIONS请求：

OPTIONS DomainB.com/foo.aspx HTTP/1.1

If foo.aspx supports OPTIONS HTTP verb, it might return response like below:

如果 foo.aspx 支持 OPTIONS HTTP 动词，它可能会返回如下响应：

HTTP/1.1 200 OK
Date: Wed, 01 Mar 2011 15:38:19 GMT
Access-Control-Allow-Origin: http://DomainA.com
Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD
Access-Control-Allow-Headers: X-Requested-With
Access-Control-Max-Age: 1728000
Connection: Keep-Alive
Content-Type: application/json

Only if the response contains "Access-Control-Allow-Origin" AND its value is "*" or contain the domain who submitted the CORS request, by satisfying this mandtory condition browser will submit the actual Cross-Domain request, and cache the result in "Preflight-Result-Cache".

仅当响应包含“Access-Control-Allow-Origin”且值为“*”或包含提交CORS请求的域时，满足此强制条件浏览器才会提交实际的跨域请求，并缓存结果在“预检结果缓存”中。

I blogged about CORS three years ago: AJAX Cross-Origin HTTP request

三年前我写了一篇关于 CORS 的博客：AJAX 跨域 HTTP 请求

Question is a bit too old to answer, but I am posting this for any future reference to this question.

问题有点太老了，无法回答，但我将其发布以供将来参考此问题。

According to thisMozilla Developer Network article,

根据这篇Mozilla 开发者网络文章，

A resource makes a cross-origin HTTP requestwhen it requests a resource from a different domain, or port than the one which the first resource itself serves.

当资源从与第一个资源本身服务的域或端口不同的域或端口请求资源时，它会发出跨域 HTTP 请求。

An HTML pageserved from http://domain-a.commakes an <img>src request for http://domain-b.com/image.jpg.
Many pages on the web today load resources like CSS stylesheets, imagesand scriptsfrom separate domains (thus it should be cool).

一个HTML页面从供应http://domain-a.com作出了<img>对SRC请求http://domain-b.com/image.jpg。
当今网络上的许多页面都加载了来自不同域的CSS 样式表、图像和脚本等资源（因此它应该很酷）。

Same-Origin Policy

同源政策

For security reasons, browsers restrict cross-origin HTTPrequests initiated from within scripts.
For example, XMLHttpRequestand Fetchfollow the same-origin policy.
So, a web application using XMLHttpRequestor Fetchcould only make HTTP requeststo its own domain.

出于安全原因，浏览器会限制从脚本内发起的跨域 HTTP请求。 例如，并且遵循同源策略。 因此，Web应用程序使用或只能使HTTP请求以自己的域。
XMLHttpRequestFetch
XMLHttpRequestFetch

Cross-Origin Resource Sharing (CORS)

跨域资源共享 (CORS)

To improve web applications, developers asked browser vendors to allow cross-domain requests.

为了改进 Web 应用程序，开发人员要求浏览器供应商允许跨域请求。

The Cross-Origin Resource Sharing (CORS)mechanism gives web servers cross-domain access controls, which enable secure cross-domain data transfers.
Modern browsers use CORSin an API container- such as XMLHttpRequestor Fetch- to mitigate risks of cross-origin HTTP requests.

所述跨来源资源共享（CORS）机制给出web服务器跨域的访问控制，这使安全跨域数据传送。
现代浏览器在API 容器中使用CORS- 例如或- 来降低跨域 HTTP 请求的风险。XMLHttpRequestFetch

How CORS works (Access-Control-Allow-Originheader)

CORS 的工作原理（Access-Control-Allow-Origin标题）

Wikipedia:

维基百科：

The CORS standard describes new HTTP headers which provide browsers and servers a way to request remote URLs only when they have permission.

Although some validation and authorization can be performed by the server, it is generally the browser's responsibilityto support these headers and honor the restrictions they impose.

CORS 标准描述了新的 HTTP 标头，这些标头为浏览器和服务器提供了一种只有在他们获得许可的情况下才能请求远程 URL 的方法。

尽管服务器可以执行一些验证和授权，但通常浏览器有责任支持这些标头并遵守它们施加的限制。

Example

例子

1. The browser sends the OPTIONSrequest with an Origin HTTPheader.

   The value of this header is the domain that served the parent page. When a page from http://www.example.comattempts to access a user's data in service.example.com, the following request header would be sent to service.example.com:

   Origin: http://www.example.com

2. The server at service.example.commay respond with:

   • An Access-Control-Allow-Origin(ACAO) header in its response indicating which origin sites are allowed.
     For example:

     Access-Control-Allow-Origin: http://www.example.com

   • An error page if the server does not allow the cross-origin request

   • An Access-Control-Allow-Origin(ACAO) header with a wildcard that allows all domains:

     Access-Control-Allow-Origin: *

1. 浏览器发送OPTIONS带有Origin HTTP标头的请求。

   此标头的值是为父页面提供服务的域。当来自 的页面http://www.example.com尝试访问 中的用户数据时service.example.com，以下请求标头将发​​送至service.example.com：

   来源：http: //www.example.com

2. 服务器 atservice.example.com可能会响应：

   • Access-Control-Allow-Origin其响应中的(ACAO) 标头指示允许哪些源站点。
     例如：

     Access-Control-Allow-Origin: http://www.example.com

   • 如果服务器不允许跨域请求，则出现错误页面

   • Access-Control-Allow-Origin带有通配符的(ACAO) 标头，允许所有域：

     Access-Control-Allow-Origin: *

Whenever I start thinking about CORS, my intuition about which site hosts the headers is incorrect, just as you described in your question. For me, it helps to think about the purpose of the same origin policy.

每当我开始考虑 CORS 时，我对哪个站点托管标头的直觉是不正确的，正如您在问题中所描述的那样。对我来说，思考同源策略的目的是有帮助的。

The purpose of the same origin policy is to protect you from malicious JavaScript on siteA.com accessing private information you've chosen to share only with siteB.com. Without the same origin policy, JavaScript written by the authors of siteA.com could make your browser make requests to siteB.com, using your authentication cookies for siteB.com. In this way, siteA.com could steal the secret information you share with siteB.com.

同源策略的目的是保护您免受 siteA.com 上的恶意 JavaScript 访问您选择仅与 siteB.com 共享的私人信息。如果没有同源策略，由 siteA.com 的作者编写的 JavaScript 可能会使您的浏览器使用您对 siteB.com 的身份验证 cookie 向 siteB.com 发出请求。这样，siteA.com 就可以窃取您与 siteB.com 共享的秘密信息。

Sometimes you need to work cross domain, which is where CORS comes in. CORS relaxes the same origin policy for domainB.com, using the Access-Control-Allow-Originheader to list other domains (domainA.com) that are trusted to run JavaScript that can interact with domainA.com.

有时您需要跨域工作，这就是 CORS 的用武之地。 CORS 放宽了 domainB.com 的同源策略，使用Access-Control-Allow-Origin标头列出其他域 (domainA.com)，这些域被信任运行可以与 domainA 交互的 JavaScript。 com。

To understand which domain should serve the CORS headers, consider this. You visit malicious.com, which contains some JavaScript that tries to make a cross domain request to mybank.com. It should be up to mybank.com, not malicious.com, to decide whether or not it sets CORS headers that relax the same origin policy allowing the JavaScript from malicious.com to interact with it. If malicous.com could set its own CORS headers allowing its own JavaScript access to mybank.com, this would completely nullify the same origin policy.

要了解哪个域应该为 CORS 标头提供服务，请考虑这一点。您访问了恶意网站，其中包含一些尝试向 mybank.com 发出跨域请求的 JavaScript。应该由 mybank.com 而非恶意网站来决定是否设置 CORS 标头以放宽同源策略，允许来自恶意网站的 JavaScript 与其交互。如果 malicous.com 可以设置它自己的 CORS 标头，允许它自己的 JavaScript 访问 mybank.com，这将完全取消同源策略。

I think the reason for my bad intuition is the point of view I have when developing a site. It's mysite, with all myJavaScript, therefore it isn't doing anything malicious and it should be up to meto specify which other sites myJavaScript can interact with. When in fact I should be thinking which othersites JavaScript are trying to interact with my site and should I use CORS to allow them?

我认为我直觉不好的原因是我在开发网站时的观点。这是我的网站，使用我所有的JavaScript，因此它没有做任何恶意的事情，应该由我来指定我的JavaScript 可以与哪些其他网站进行交互。事实上，我应该考虑哪些其他网站 JavaScript 正在尝试与我的网站进行交互，我应该使用 CORS 来允许它们吗？

1. A client downloads javascript code MyCode.js from http://siteA- the origin.

1. 客户端从http://siteA- 源下载 javascript 代码 MyCode.js 。

The code that does the downloading - your html script tag or xhr from javascript or whatever - came from, let's say, http://siteZ. And, when the browser requests MyCode.js, it sends an Origin: header saying "Origin: http://siteZ", because it can see that you're requesting to siteA and siteZ != siteA. (You cannot stop or interfere with this.)

进行下载的代码 - 你的 html 脚本标签或来自 javascript 的 xhr 或其他任何东西 - 来自，比如说，http://siteZ。而且，当浏览器请求 MyCode.js 时，它会发送一个 Origin: 标头，上面写着“Origin: http://siteZ”，因为它可以看到您正在请求 siteA 和 siteZ != siteA。（您不能停止或干扰这一点。）

2. The response header of MyCode.js contains Access-Control-Allow-Origin: http://siteB, which I thought meant that MyCode.js was allowed to make cross-origin references to the site B.

2. MyCode.js 的响应头包含 Access-Control-Allow-Origin: http://siteB，我认为这意味着 MyCode.js 被允许对站点 B 进行跨域引用。

no. It means, Only siteB is allowed to do this request. So your request for MyCode.js from siteZ gets an error instead, and the browser typically gives you nothing. But if you make your server return A-C-A-O: siteZ instead, you'll get MyCode.js . Or if it sends '*', that'll work, that'll let everybody in. Or if the server always sends the string from the Origin: header... but... for security, if you're afraid of hackers, your server should only allow origins on a shortlist, that are allowed to make those requests.

不。这意味着，只有 siteB 被允许做这个请求。因此，您对来自 siteZ 的 MyCode.js 的请求反而会得到一个错误，而浏览器通常不会给您任何信息。但是如果你让你的服务器返回 ACAO: siteZ ，你会得到 MyCode.js 。或者如果它发送'*'，那会起作用，这会让每个人进入。或者如果服务器总是从 Origin: 头发送字符串......但是......为了安全，如果你害怕黑客，您的服务器应该只允许候选名单上的来源，这些来源被允许提出这些请求。

Then, MyCode.js comes from siteA. When it makes requests to siteB, they are all cross-origin, the browser sends Origin: siteA, and siteB has to take the siteA, recognize it's on the short list of allowed requesters, and send back A-C-A-O: siteA. Only then will the browser let your script get the result of those requests.

然后，MyCode.js 来自 siteA。当它向 siteB 发出请求时，它们都是跨域的，浏览器发送 Origin：siteA，而 siteB 必须获取 siteA，识别它在允许请求者的简短列表中，然后发回 ACAO：siteA。只有这样，浏览器才会让您的脚本获得这些请求的结果。

Using Reactand Axios, join proxy link to the URL and add header as shown below

使用React和Axios，将代理链接加入到 URL 并添加标题，如下所示

https://cors-anywhere.herokuapp.com/+ Your API URL

https://cors-anywhere.herokuapp.com/+ Your API URL

Just by adding the Proxy link will work, but it can also throw error for No Access again. Hence better to add header as shown below.

只需添加代理链接即可工作，但它也可能再次引发无访问权限错误。因此最好添加标题，如下所示。

axios.get(`https://cors-anywhere.herokuapp.com/[YOUR_API_URL]`,{headers: {'Access-Control-Allow-Origin': '*'}})
      .then(response => console.log(response:data);
  }

If you want just to test a cross domain application in which the browser blocks your request, then you can just open your browser in unsafe mode and test your application without changing your code and without making your code unsafe. From MAC OS you can do this from the terminal line:

如果您只想测试浏览器阻止您的请求的跨域应用程序，那么您可以在不安全模式下打开浏览器并测试您的应用程序，而无需更改您的代码并且不会使您的代码不安全。在 MAC OS 中，您可以从终端行执行此操作：

open -a Google\ Chrome --args --disable-web-security --user-data-dir

If you are using PHP, try adding the following code at the beginning of the php file:

如果您使用的是 PHP，请尝试在 php 文件的开头添加以下代码：

If you are using localhost, try this:

如果您使用的是本地主机，请尝试以下操作：

header("Access-Control-Allow-Origin: *");

If you are using external domains such as server, try this:

如果您使用的是服务器等外部域，请尝试以下操作：

header("Access-Control-Allow-Origin: http://www.website.com");

i work with express 4 and node 7.4 and angular,I had the same problem me help this:
a) server side: in file app.js i give headers to all response like:

我使用 express 4 和 node 7.4 以及 angular，我遇到了同样的问题，我可以帮忙：
a) 服务器端：在文件 app.js 中，我为所有响应提供了标头，例如：

app.use(function(req, res, next) {  
      res.header('Access-Control-Allow-Origin', req.headers.origin);
      res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
      next();
 });  

this must have before all router.
I saw a lot of added this headers:

这必须在所有路由器之前都有。
我看到很多添加了这个标题：

res.header("Access-Control-Allow-Headers","*");
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');

but i dont need that,
b) client side: in send ajax you need add: "withCredentials: true," like:

但我不需要那个，
b) 客户端：在发送 ajax 时，您需要添加：“withCredentials: true”，例如：

$http({
     method: 'POST',
     url: 'url, 
     withCredentials: true,
     data : {}
   }).then(function(response){
        // code  
   }, function (response) {
         // code 
   });

good luck.

祝你好运。

For cross origin sharing, set header: 'Access-Control-Allow-Origin':'*';

对于跨源共享，设置标题： 'Access-Control-Allow-Origin':'*';

Php: header('Access-Control-Allow-Origin':'*');

博士： header('Access-Control-Allow-Origin':'*');

Node: app.use('Access-Control-Allow-Origin':'*');

节点： app.use('Access-Control-Allow-Origin':'*');

This will allow to share content for different domain.

这将允许共享不同域的内容。