注释类型 CrossOrigin

字段详细资料

• DEFAULT_ORIGINS

  @Deprecated
  static final String[] DEFAULT_ORIGINS

  已过时。

  as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

• DEFAULT_ALLOWED_HEADERS

  @Deprecated
  static final String[] DEFAULT_ALLOWED_HEADERS

  已过时。

  as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

• DEFAULT_ALLOW_CREDENTIALS

  @Deprecated
  static final boolean DEFAULT_ALLOW_CREDENTIALS

  已过时。

  as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

• DEFAULT_MAX_AGE

  @Deprecated
  static final long DEFAULT_MAX_AGE

  已过时。

  as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

元素详细资料

• value

  @AliasFor("origins")
  String[] value

  Alias for origins().

  默认值:

  {}

• origins

  @AliasFor("value")
  String[] origins

  The list of allowed origins that be specific origins, e.g. "https://domain1.com", or "*" for all origins.

  A matched origin is listed in the Access-Control-Allow-Origin response header of preflight actual CORS requests.

  By default all origins are allowed.

  Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.

  另请参阅:

  value()

  默认值:

  {}

• allowedHeaders

  String[] allowedHeaders

  The list of request headers that are permitted in actual requests, possibly "*" to allow all headers.

  Allowed headers are listed in the Access-Control-Allow-Headers response header of preflight requests.

  A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma as per the CORS spec.

  By default all requested headers are allowed.

  默认值:

  {}

• exposedHeaders

  String[] exposedHeaders

  The List of response headers that the user-agent will allow the client to access on an actual response, other than "simple" headers, i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, or Pragma,

  Exposed headers are listed in the Access-Control-Expose-Headers response header of actual CORS requests.

  The special value "*" allows all headers to be exposed for non-credentialed requests.

  By default no headers are listed as exposed.

  默认值:

  {}

• methods

  RequestMethod[] methods

  The list of supported HTTP request methods.

  By default the supported methods are the same as the ones to which a controller method is mapped.

  默认值:

  {}

• allowCredentials

  String allowCredentials

  Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests.

  NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

  By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

  默认值:

  ""

• maxAge

  long maxAge

  The maximum age (in seconds) of the cache duration for preflight responses.

  This property controls the value of the Access-Control-Max-Age response header of preflight requests.

  Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.

  By default this is set to 1800 seconds (30 minutes).

  默认值:

  -1L