Cross-Origin Request 實現跨網域請求

JSONP

CORS: Cross-Origin Resource Sharing 跨來源資源共享

header('Access-Control-Allow-Origin: https://your.domain');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept');
// 快取秒數；一段時間內允許請求，節省 option request 所消耗的資源
header('Access-Control-Max-Age: 1728000');
// 如果有登入需求，須加上
header('Access-Control-Allow-Credentials: true');

• Can Ajax make a Cross-Origin Login?
• MDN: HTTP 存取控制（CORS）
• enable-cors.org: I want to add CORS support to my server

WildCard '*' not working

• CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

  For Security, cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.

Mutliple Origin Demand

用 preg_match()/ fnmatch() 和 $_SERVER['HTTP_ORIGIN'] 解

• How Secure is HTTP_ORIGIN

Others

科普

• 輕鬆理解 Ajax 與跨來源請求
• 實作 Cross-Origin Resource Sharing (CORS) 解決 Ajax 發送跨網域存取 Request
• 觀念與實作：利用CORS实现跨域请求

Front-end

• How to get Response headers in AJAX

• Detecting a redirect in jQuery $.ajax?

  XHR 獲取 header 中的 redirectURL

    //jQuery
    $.done(function(res, status, xhr) {
        console.log(xhr.getAllResponseHeaders());
    });