程序包 org.springframework.web.servlet.config.annotation

类 CorsRegistration

    • 方法详细资料

      • allowedOrigins

        public CorsRegistration allowedOrigins​(String... origins)
        The list of allowed origins that be specific origins, e.g. "https://domain1.com", or "*" for all origins.

        A matched origin is listed in the Access-Control-Allow-Origin response header of preflight actual CORS requests.

        By default, all origins are allowed.

        Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.

      • allowedMethods

        public CorsRegistration allowedMethods​(String... methods)
        Set the HTTP methods to allow, e.g. "GET", "POST", etc.

        The special value "*" allows all methods.

        By default "simple" methods GET, HEAD, and POST are allowed.

      • allowedHeaders

        public CorsRegistration allowedHeaders​(String... headers)
        Set the list of headers that a pre-flight request can list as allowed for use during an actual request.

        The special value "*" may be used to allow all headers.

        A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma as per the CORS spec.

        By default all headers are allowed.

      • exposedHeaders

        public CorsRegistration exposedHeaders​(String... headers)
        Set the list of response headers other than "simple" headers, i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, or Pragma, that an actual response might have and can be exposed.

        The special value "*" allows all headers to be exposed for non-credentialed requests.

        By default this is not set.

      • allowCredentials

        public CorsRegistration allowCredentials​(boolean allowCredentials)
        Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests.

        NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

        By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

      • maxAge

        public CorsRegistration maxAge​(long maxAge)
        Configure how long in seconds the response from a pre-flight request can be cached by clients.

        By default this is set to 1800 seconds (30 minutes).