Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight res

时间:2025-03-14 08:40:21

一、问题:

跨域请求中包含自定义header字段时,浏览器console报错。

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response

二、原因:

包含自定义header字段的跨域请求,浏览器会先向服务器发送OPTIONS请求,探测该服务器是否允许自定义的跨域字段。

如果允许,则继续实际的POST/GET正常请求,否则,返回标题所示错误。
三、解决办法:

服务端需要对OPTIONS请求做出应答,应答header中包含 Access-Control-Allow-Headers,且值包含options请求中Access-Control-Request-Headers的值。

以下为java服务端filter中设置的OPTIONS请求处理代码。

public void doFilter(ServletRequest req, ServletResponse resp,FilterChain chain) throws IOException, ServletException {
    	try {
    		HttpServletRequest hreq = (HttpServletRequest) req;
    		HttpServletResponse hresp = (HttpServletResponse) resp;
    		("Access-Control-Allow-Origin", "*");
    		("Access-Control-Allow-Methods", "*");
    		("Access-Control-Allow-Headers", "Origin,Content-Type,Accept,token,X-Requested-With");
    		if (().equals("OPTIONS")) {
    			(());
    			().write("OPTIONS returns OK");
                return;
            }
    		(req, resp);
     
    	} catch (Exception e) {
    		();
    	}
    }