🖥
HTTP OPTIONS request の Access-Control-Request-Method / Access-Control-
Access-Control-Request-Method とは
- GETはいけるかな?
- POSTはいけるかな?
ってサーバーに問い合わせられる規格だと思うのだけれど、違うんだろうか。
サーバーに知らせる
知らせる役割。サーバーが何かを教えてくれるとは限らない。たぶん。
Access-Control-Request-Headers リクエストヘッダーは preflight request を発行するときに使用され、実際のリクエストが行われたときにどの HTTP ヘッダーが使用されるかをサーバーに知らせます。
Access-Control-Request-Headers - HTTP | MDN
Allowとの違いは
サーバーは Access-Control-Allow-Methods を返しており、これは当該リソースへの問い合わせで // 実行可能なメソッドであることを伝えます。なお、このヘッダーはレスポンスヘッダーの Allow と似ていますが、アクセス制御でのみ使用されることに注意してください。
オリジン間リソース共有 (CORS) - HTTP | MDN
へぇ
curlであそぼ
よく分かっていないので いろんなサイトであそぶ。
Github
404 Not Found でそもそも使えない
$ curl --head -X 'OPTIONS' 'https://github.com/'
HTTP/1.1 404 Not Found
Date: Sat, 16 Nov 2019 01:46:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Server: GitHub.com
Status: 404 Not Found
X-Request-Id: 51034b0e-fbe4-42d7-8a38-ebc78beff923
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com collector.githubapp.com avatars0.githubusercontent.com avatars1.githubusercontent.com avatars2.githubusercontent.com avatars3.githubusercontent.com github-cloud.s3.amazonaws.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
X-GitHub-Request-Id: E5E5:62F0:57C2C:85738:5DCF5512
httpbin.org
- Access-Control-Allow-Methods が返ってくる
- リクエストの Access-Control-Request-Method は見てなさそう
$ curl --head -X 'OPTIONS' 'https://httpbin.org/' --header 'Access-Control-Request-Method: XXX'
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Allow: HEAD, OPTIONS, GET
Content-Type: text/html; charset=utf-8
Date: Sat, 16 Nov 2019 01:45:27 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: nginx
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive
example.com
- allow が返ってくるが Access-Control-Allow-Methods との違いはなんなのだろう
- リクエストの Access-Control-Request-Method は見てなさそう
$ curl --head -X 'OPTIONS' 'https://example.com/' --header 'Access-Control-Request-Method: XXX'
HTTP/2 200
allow: OPTIONS, GET, HEAD, POST
cache-control: max-age=604800
content-type: text/html; charset=UTF-8
date: Sat, 16 Nov 2019 01:48:14 GMT
expires: Sat, 23 Nov 2019 01:48:14 GMT
server: EOS (vny006/044F)
content-length: 0
yahoo.com
- 特に何も教えてくれない
$ curl --head -X 'OPTIONS' 'https://www.yahoo.com/'
HTTP/2 200
date: Sat, 16 Nov 2019 01:51:02 GMT
p3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
cache-control: no-store, no-cache, max-age=0, private
strict-transport-security: max-age=31536000
accept-ch: device-memory, dpr, width, viewport-width, rtt, downlink, ect
accept-ch-lifetime: 604800
x-frame-options: SAMEORIGIN
set-cookie: autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=www.yahoo.com
x-xss-protection: 1; report="https://csp.yahoo.com/beacon/csp?src=fp-hpkp-www"
content-security-policy: sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=frontpage&site=fp®ion=US&lang=en-US&device=desktop&partner=default;
x-content-type-options: NOSNIFF
content-type: text/html; charset=UTF-8
age: 0
server: ATS
referrer-policy: no-referrer-when-downgrade
x-failsafe-cache: 1
expires: -1
content-security-policy-report-only: style-src https://*.btrll.com https://cdn.cmp.advertising.com https://*.oath.com https://*.yimg.com https://*.yahoo.com 'self' 'unsafe-inline' data: blob:; script-src https://*.btrll.com https://cdn.cmp.advertising.com https://*.oath.com https://*.yahoo.com https://*.yimg.com 'self' 'unsafe-inline' 'unsafe-eval' https://platform.twitter.com https://*.btrll.com data: blob:; frame-ancestors https://*.techcrunch.com https://*.huffingtonpost.com https://*.aol.com https://*.yahoo.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage®ion=US&lang=en-US&device=desktop&yrid=dtgjp59esulg6&partner=;
expect-ct: max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only"
Access-Control-Request-Method で挙動が変わるパターン
- Access-Control-Request-Method の指定が有効であれば Access-Control-Allow-Methods に全種類の有効メソッドを返してくる
- 知らないやつには何も教えてやらないよ!って。
$ curl --head -X 'OPTIONS' 'http://localhost/' --header 'Access-Control-Request-Method: GET'
HTTP/1.1 200 OK
Content-Type: text/plain
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
$ curl --head -X 'OPTIONS' 'http://localhost/' --header 'Access-Control-Request-Method: XXX'
HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
感想
Request & Response って本当に自由ですね!
ref
なんとなく CORS がわかる...はもう終わりにする。 - Qiita
Original by Github issue
チャットメンバー募集
何か質問、悩み事、相談などあればLINEオープンチャットもご利用ください。
公開日時
2019-11-16
Discussion