为什么要发送OPTIONS请求，我可以禁用它吗？

最新推荐文章于 2025-09-25 11:00:24 发布

翻译最新推荐文章于 2025-09-25 11:00:24 发布 · 6.1k 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：https://oldbug.net/q/21gPd/Why-is-an-OPTIONS-request-sent-and-can-I-disable-it

文章标签：

#http #cors #options

部署运行你感兴趣的模型镜像

本文翻译自：Why is an OPTIONS request sent and can I disable it?

I am building a web API. 我正在构建一个Web API。 I found whenever I use Chrome to POST, GET to my API, there is always an OPTIONS request sent before the real request, which is quite annoying. 我发现每当我使用Chrome进行POST，GET到我的API时，总是在真实请求之前发送一个OPTIONS请求，这很烦人。 Currently I get the server to ignore any OPTIONS requests. 目前，我让服务器忽略任何OPTIONS请求。 Now my questions is what's good to send an OPTIONS request to double the server's load? 现在，我的问题是，发送一个OPTIONS请求以使服务器的负载增加一倍有什么好处？ Is there any way to completely stop the browser from sending OPTIONS requests? 有什么方法可以完全阻止浏览器发送OPTIONS请求？

#1楼

参考：https://stackoom.com/question/21gPd/为什么要发送OPTIONS请求-我可以禁用它吗

#2楼

edit 2018-09-13 : added some precisions about this pre-flight request and how to avoid it at the end of this reponse. 编辑2018-09-13 ：在此预检请求以及在此响应结束时如何避免它方面增加了一些精度。

OPTIONS requests are what we call pre-flight requests in Cross-origin resource sharing (CORS) . OPTIONS请求是Cross-origin resource sharing (CORS) pre-flight请求。

They are necessary when you're making requests across different origins in specific situations. 当您在特定情况下跨不同来源发出请求时，它们是必需的。

This pre-flight request is made by some browsers as a safety measure to ensure that the request being done is trusted by the server. 某些浏览器会发出此飞行前请求，作为一种安全措施，以确保服务器信任正在执行的请求。 Meaning the server understands that the method, origin and headers being sent on the request are safe to act upon. 意味着服务器了解请求上发送的方法，源和标头是安全的。

Your server should not ignore but handle these requests whenever you're attempting to do cross origin requests. 每当您尝试进行跨源请求时，服务器都不应忽略，而应处理这些请求。

A good resource can be found here http://enable-cors.org/ 一个很好的资源可以在这里找到http://enable-cors.org/

A way to handle these to get comfortable is to ensure that for any path with OPTIONS method the server sends a response with this header 处理这些问题的一种方法是确保对于使用OPTIONS方法的任何路径，服务器均使用此标头发送响应

Access-Control-Allow-Origin: *

This will tell the browser that the server is willing to answer requests from any origin. 这将告诉浏览器服务器愿意回答任何来源的请求。

For more information on how to add CORS support to your server see the following flowchart 有关如何向服务器添加CORS支持的更多信息，请参见以下流程图

http://www.html5rocks.com/static/images/cors_server_flowchart.png http://www.html5rocks.com/static/images/cors_server_flowchart.png

CORS流程图

edit 2018-09-13 编辑2018-09-13

CORS OPTIONS request is triggered only in somes cases, as explained in MDN docs : 仅在某些情况下会触发CORS OPTIONS请求，如MDN docs中所述：

Some requests don't trigger a CORS preflight. 有些请求不会触发CORS预检。 Those are called “simple requests” in this article, though the Fetch spec (which defines CORS) doesn't use that term. 尽管Fetch规范（定义了CORS）未使用该术语，但在本文中将其称为“简单请求”。 A request that doesn't trigger a CORS preflight—a so-called “simple request”—is one that meets all the following conditions: 不会触发CORS预检的请求（所谓的“简单请求”）是满足以下所有条件的请求：

The only allowed methods are: 唯一允许的方法是：

GET 得到
HEAD 头
POST 开机自检

Apart from the headers set automatically by the user agent (for example, Connection, User-Agent, or any of the other headers with names defined in the Fetch spec as a “forbidden header name”), the only headers which are allowed to be manually set are those which the Fetch spec defines as being a “CORS-safelisted request-header”, which are: 除了由用户代理自动设置的标头（例如，Connection，User-Agent或在Fetch规范中定义为“禁止标头名”的任何其他标头）外，仅允许将标头手动设置的是Fetch规范定义为“ CORS安全列出的请求标头”的设置，它们是：

Accept 接受
Accept-Language 接受语言
Content-Language 内容语言
Content-Type (but note the additional requirements below) 内容类型（但请注意以下其他要求）
DPR DPR
Downlink 下行链接
Save-Data 保存数据
Viewport-Width 视口宽度
Width 宽度

The only allowed values for the Content-Type header are: Content-Type标头的唯一允许值为：

application/x-www-form-urlencoded 应用程序/ x-www-form-urlencoded
multipart/form-data 多部分/表单数据
text/plain 文字/纯文字

No event listeners are registered on any XMLHttpRequestUpload object used in the request; 没有在请求中使用的任何XMLHttpRequestUpload对象上注册事件侦听器； these are accessed using the XMLHttpRequest.upload property. 这些可以使用XMLHttpRequest.upload属性进行访问。

No ReadableStream object is used in the request. 请求中未使用ReadableStream对象。

#3楼

您不能，但是可以避免使用JSONP的CORS。

#4楼

Yes it's possible to avoid options request. 是的，可以避免选择要求。 Options request is a preflight request when you send (post) any data to another domain. 当您将任何数据发送（发布）到另一个域时，选项请求是预检请求。 It's a browser security issue. 这是浏览器的安全问题。 But we can use another technology: iframe transport layer. 但是我们可以使用另一种技术：iframe传输层。 I strongly recommend you forget about any CORS configuration and use readymade solution and it will work anywhere. 我强烈建议您忘记任何CORS配置并使用现成的解决方案，它可以在任何地方使用。

Take a look here: https://github.com/jpillora/xdomain 在这里看看： https : //github.com/jpillora/xdomain

And working example: http://jpillora.com/xdomain/ 工作示例： http : //jpillora.com/xdomain/

#5楼

Please refer this answer on the actual need for pre-flighted OPTIONS request: CORS - What is the motivation behind introducing preflight requests? 请根据实际的预检选项请求参阅此答案： CORS-引入预检请求的动机是什么？

To disable the OPTIONS request, below conditions must be satisfied for ajax request: 要禁用OPTIONS请求，必须满足ajax请求的以下条件：

Request does not set custom HTTP headers like 'application/xml' or 'application/json' etc 请求未设置自定义HTTP标头，例如“ application / xml”或“ application / json”等
The request method has to be one of GET, HEAD or POST. request方法必须是GET，HEAD或POST之一。 If POST, content type should be one of application/x-www-form-urlencoded , multipart/form-data , or text/plain 如果是POST，则内容类型应为application/x-www-form-urlencoded ， multipart/form-data或text/plain

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS 参考： https : //developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS

#6楼

As mentioned in previous posts already, OPTIONS requests are there for a reason. 如前几篇文章所述， OPTIONS请求在那里是有原因的。 If you have an issue with large response times from your server (eg overseas connection) you can also have your browser cache the preflight requests. 如果您对服务器的响应时间过长（例如，海外连接）有疑问，还可以让浏览器缓存预检请求。

Have your server reply with the Access-Control-Max-Age header and for requests that go to the same endpoint the preflight request will have been cached and not occur anymore. 让您的服务器用Access-Control-Max-Age标头答复，对于转到相同端点的请求，预检请求将被缓存并且不再发生。

您可能感兴趣的与本文相关的镜像