Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight res

一、问题：

跨域请求中包含自定义header字段时，浏览器console报错。

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response

二、原因：

包含自定义header字段的跨域请求，浏览器会先向服务器发送OPTIONS请求，探测该服务器是否允许自定义的跨域字段。

如果允许，则继续实际的POST／GET正常请求，否则，返回标题所示错误。
三、解决办法：

服务端需要对OPTIONS请求做出应答，应答header中包含 Access-Control-Allow-Headers，且值包含options请求中Access-Control-Request-Headers的值。

以下为java服务端filter中设置的OPTIONS请求处理代码。

public void doFilter(ServletRequest req, ServletResponse resp,FilterChain chain) throws IOException, ServletException {
    	try {
    		HttpServletRequest hreq = (HttpServletRequest) req;
    		HttpServletResponse hresp = (HttpServletResponse) resp;
    		("Access-Control-Allow-Origin", "*");
    		("Access-Control-Allow-Methods", "*");
    		("Access-Control-Allow-Headers", "Origin,Content-Type,Accept,token,X-Requested-With");
    		if (().equals("OPTIONS")) {
    			(());
    			().write("OPTIONS returns OK");
                return;
            }
    		(req, resp);
     
    	} catch (Exception e) {
    		();
    	}
    }

秒客网

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight res

相关文章