cross origin

[phymo]

浏览器的同源策略，运行在server端的node.js并没有这个约束，所以可以在server端用node.js做代理转发，把浏览器的同源请求 转发给 真正的API服务器

[phymo]

https://jakearchibald.com/2021/cors/

[phymo]

[phymo]

https://javascript.info/fetch-crossorigin

• At first, cross-origin requests were forbidden. But as a result of long discussions, cross-origin requests were allowed, but with any new capabilities requiring an explicit allowance by the server, expressed in special headers.

[phymo]

safe request

A request is safe if it satisfies two conditions: Safe method: GET, POST or HEAD Safe headers – the only allowed custom headers are: Accept, Accept-Language, Content-Language, Content-Type with the valueapplication/x-www-form-urlencoded, multipart/form-data or text/plain.

The essential difference is that a safe request can be made with a <form> or a <script>, without any special methods.

[phymo]

unsafe request

When we try to make a unsafe request, the browser sends a special “preflight” request that asks the server – does it agree to accept such cross-origin requests, or not?

And, unless the server explicitly confirms that with headers, an unsafe request is not sent.