轉自：http://blog.csdn.net/wangkang80/article/details/72829390

什麽是跨域?

假設你在http://xxx.com/test/下有一個js文件,從這個js裏發出一個ajax請求請求後端服務,按照如下情況判定:

解決方案：

1） JSONP :

動態添加一個<script>標簽，而script標簽的src屬性是沒有跨域的限制的。這樣說來，這種跨域方式其實與ajax XmlHttpRequest協議無關了,而缺點也很明顯,它只支持GET請求而不支持POST等其它類型的HTTP請求；它只支持跨域HTTP請求這種情況，不能解決不同域的兩個頁面之間如何進行JavaScript調用的問題

2） NGINX代理 :

通過一個代理服務器,將跨域的請求轉發,如:前端JS在http://www.demo.com/a.js,後端是http://www.abc.com/app/action,通過代理可將後端的地址轉換成http://www.demo/app/action,這樣,從前端發起的請求,就不存在跨域的情況了

3）CORS

然後CORS是支持所有類型的HTTP請求,並且也只是服務端進行設置即可,但是缺點就是老的瀏覽器不支持CORS(如:IE7,7,8,等)

什麽是CORS？

Cross-origin resource sharing(跨域資源共享),是一個W3C標準,它允許你向一個不同源的服務器發出XMLHttpRequest

CORS的響應頭

Access-Control-Allow-Origin : 必須的,允許的域名,如果設置*,則表示接受任何域名

Access-Control-Allow-Credentials : 非必須的,表示是否允許發送Cookie,註意,當設置為true的時候,客戶端的ajax請求,也需要將withCredentials屬性設置為true

Access-Control-Expose-Headers : 非必須的,表示客戶端能拿到的header,默認情況下XMLHttpRequest的getResponseHeader方法只能拿到幾個基本的header,如果有自定義的header要獲取的話,則需要設置此值

Access-Control-Request-Method : 必須的,表示CORS上會使用到那些HTTP方法

Access-Control-Request-Headers : 必須的,表示CORS上會有那些額外的的有信息

代碼實現：

@Component

public class SimpleCORSFilter implements Filter {

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

HttpServletResponse response = (HttpServletResponse) res;

response.setHeader("Access-Control-Allow-Origin", "*");

response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");

response.setHeader("Access-Control-Max-Age", "3600");

response.setHeader("Access-Control-Allow-Headers", "x-requested-with");

chain.doFilter(req, res);

}

public void init(FilterConfig filterConfig) {}

public void destroy() {}

}

完整代碼，詳見：https://www.tianmaying.com/tutorial/cross-origin-rest-service

也可以通過nginx配置CORS：

轉自：https://enable-cors.org/server_nginx.html

#

# Wide-open CORS config for nginx

#

location / {

if ($request_method = ‘OPTIONS‘) {

add_header ‘Access-Control-Allow-Origin‘ ‘*‘;

add_header ‘Access-Control-Allow-Methods‘ ‘GET, POST, OPTIONS‘;

#

# Custom headers and headers various browsers *should* be OK with but aren‘t

#

add_header ‘Access-Control-Allow-Headers‘ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range‘;

#

# Tell client that this pre-flight info is valid for 20 days

#

add_header ‘Access-Control-Max-Age‘ 1728000;

add_header ‘Content-Type‘ ‘text/plain; charset=utf-8‘;

add_header ‘Content-Length‘ 0;

return 204;

}

if ($request_method = ‘POST‘) {

add_header ‘Access-Control-Allow-Origin‘ ‘*‘;

add_header ‘Access-Control-Allow-Methods‘ ‘GET, POST, OPTIONS‘;

add_header ‘Access-Control-Allow-Headers‘ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range‘;

add_header ‘Access-Control-Expose-Headers‘ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range‘;

}

if ($request_method = ‘GET‘) {

add_header ‘Access-Control-Allow-Origin‘ ‘*‘;

add_header ‘Access-Control-Allow-Methods‘ ‘GET, POST, OPTIONS‘;

add_header ‘Access-Control-Allow-Headers‘ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range‘;

add_header ‘Access-Control-Expose-Headers‘ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range‘;

}

}

springCloud跨域訪問