javascript 跨域资源共享 (CORS) 是否区分 HTTP 和 HTTPS?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19541547/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Does Cross-Origin Resource Sharing(CORS) differentiate between HTTP AND HTTPS?
提问by NextStep
I have two sites : https//:www.domain-only-uses-https.com and www.domain-uses-both-http-and-https.com
我有两个站点:https//:www.domain-only-uses-https.com 和 www.domain-uses-both-http-and-https.com
Now I am making 2 ajax GET requests in the page of the former to the later, one is
现在我在前者的页面中向后者发出 2 个 ajax GET 请求,一个是
https://www.domain-uses-both-http-and-https.com/some-path (using the HTTPS scheme)
and the other one is
另一个是
http://www.domain-uses-both-http-and-https.com/some-other-path (using the HTTP scheme)
And I DID set the "https//:www.domain-only-uses-https.com" as the value of "Access-Control-Allow-Origin:" header in the server "www.domain-uses-both-http-and-https.com ".
我确实将“https//:www.domain-only-uses-https.com”设置为服务器“www.domain-uses-both-http”中“Access-Control-Allow-Origin:”标头的值-和-https.com”。
But now it seems that only request 1 is allowed by Chrome ,but request 2 is forbidden.
但现在似乎 Chrome 只允许请求 1,但禁止请求 2。
So my question is : does the "Access-Control-Allow-Origin" header differentiate between HTTP AND HTTPS? Hope I've made myself clear..
所以我的问题是:“Access-Control-Allow-Origin”标头是否区分 HTTP 和 HTTPS?希望我已经说清楚了..
回答by apsillers
Yes, HTTP and HTTPS origins are different.
是的,HTTP 和 HTTPS 的来源不同。
An originis a combination of hostname, port, and scheme.
的起源是一个组合的主机名,端口和方案。
http://foo.example.com:8080/
^^^^ ^^^^^^^^^^^^^^^ ^^^^
|| || ||
scheme hostname port
If not all of these fields match between two resources, then the resources are from different origins. Thus, you must expressly specify whether the resource is accessible from the origin with an HTTP scheme or the origin with an HTTPS scheme.
如果两个资源之间并非所有这些字段都匹配,则资源来自不同的来源。因此,您必须明确指定是可从采用 HTTP 方案的源还是采用 HTTPS 方案的源访问资源。
Some browsers only allow the Access-Control-Allow-Originheader to contain exactly one origin (or *) sent with each response; however, your server can detect the request's Originheader and send the same origin in the CORS response.
一些浏览器只允许Access-Control-Allow-Origin标头包含一个*与每个响应一起发送的源(或);但是,您的服务器可以检测请求的Origin标头并在 CORS 响应中发送相同的来源。
