Does Cross-Origin Resource Sharing(CORS) different

2019-01-18 10:25发布

I have two sites : https//:www.domain-only-uses-https.com and www.domain-uses-both-http-and-https.com

Now I am making 2 ajax GET requests in the page of the former to the later, one is

https://www.domain-uses-both-http-and-https.com/some-path  (using the HTTPS scheme)

and the other one is

http://www.domain-uses-both-http-and-https.com/some-other-path (using the HTTP scheme)

And I DID set the "https//:www.domain-only-uses-https.com" as the value of "Access-Control-Allow-Origin:" header in the server "www.domain-uses-both-http-and-https.com ".

But now it seems that only request 1 is allowed by Chrome ,but request 2 is forbidden.

So my question is : does the "Access-Control-Allow-Origin" header differentiate between HTTP AND HTTPS? Hope I've made myself clear..

标签： javascript http xmlhttprequest cors

1条回答

成全新的幸福

2楼-- · 2019-01-18 11:12

Yes, HTTP and HTTPS origins are different.

An origin is a combination of hostname, port, and scheme.

  http://foo.example.com:8080/
  ^^^^   ^^^^^^^^^^^^^^^ ^^^^
   ||           ||        ||
 scheme      hostname    port

If not all of these fields match between two resources, then the resources are from different origins. Thus, you must expressly specify whether the resource is accessible from the origin with an HTTP scheme or the origin with an HTTPS scheme.

Some browsers only allow the Access-Control-Allow-Origin header to contain exactly one origin (or *) sent with each response; however, your server can detect the request's Origin header and send the same origin in the CORS response.

0人赞添加讨论(0) 举报

Does Cross-Origin Resource Sharing(CORS) different

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间