这篇翻译不完整。请帮忙从英语翻译这篇文章

响应首部 Access-Control-Allow-Headers 用于 preflight request (预检请求)中,列出了将会在正式请求的 Access-Control-Expose-Headers 字段中出现的首部信息。

简单首部,如 simple headersAcceptAccept-LanguageContent-LanguageContent-Type (只限于解析后的值为 application/x-www-form-urlencoded、multipart/form-data 或 text/plain 三种MIME类型(不包括参数)),它们始终是被支持的,不需要在这个首部特意列出。

如果请求中含有 Access-Control-Request-Headers 字段,那么这个首部是必要的。

Header type Response header
Forbidden header name no

语法

 

Access-Control-Allow-Headers: <header-name>[, <header-name>]*

 

指令

<header-name>
可支持的请求首部名字。请求头会列出所有支持的首部列表,用逗号隔开。

注意以下这些特定的首部是一直允许的:Accept, Accept-Language, Content-Language, Content-Type (但只在其值属于 MIME 类型 application/x-www-form-urlencodedmultipart/form-data 或 text/plain中的一种时)。这些被称作simple headers,你无需特意声明它们。

示例

 

自定义的请求头

Here's an example of what an Access-Control-Allow-Headers header might look like. It indicates that in addition to the "simple" headers, a custom header named X-Custom-Headeris supported by CORS requests to the server.

Access-Control-Allow-Headers: X-Custom-Header

Multiple headers

This example shows Access-Control-Allow-Headers when it specifies support for multiple headers.

Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests

Example preflight request

Let's look at an example of a preflight request involving Access-Control-Allow-Headers.

Request

First, the request.  The preflight request is an OPTIONS request which includes some combination of the three preflight request headers: Access-Control-Request-Method, Access-Control-Request-Headers, and Origin, such as:

OPTIONS /resource/foo
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org

Response

If the server allows CORS requests to use the DELETE method, it responds with an Access-Control-Allow-Methods response header, which lists DELETE along with the other methods it supports:

HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400

If the requested method isn't supported, the server will respond with an error.

 

规范

Specification Status Comment
Fetch
Access-Control-Allow-Headers
Living Standard Initial definition.

浏览器兼容性

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Access-Control-Allow-HeadersChrome Full support 4Edge Full support 12Firefox Full support 3.5IE Full support 10Opera Full support 12Safari Full support 4WebView Android Full support 2Chrome Android Full support YesEdge Mobile Full support YesFirefox Android Full support 4Opera Android Full support 12Safari iOS Full support 3.2Samsung Internet Android Full support Yes

Legend

Full support  
Full support

有关兼容性的注意事项

相关内容

文档标签和贡献者

此页面的贡献者: Soyaine, mdnwebdocs-bot, WayneCui
最后编辑者: Soyaine,