How to enable the cross-origin function for laravel

How to enable the cross-origin function for laravel

Preface

This article describes how to enable the cross-origin function in laravel. We will share the content for your reference and learning. I will not talk about it here. Let's take a look at the details.

Cross-origin requests

For security reasons, the browser restricts cross-origin requests in the Script. Because XMLHttpRequest follows the same-origin policy, all applications that use XMLHttpRequest to construct an HTTP request can only access their own domain names. If you need to construct a cross-origin request, developers need to use the browser to configure cross-origin settings.

W3C application workgroup recommends a cross-site Resource Sharing Mechanism, which allows Web application servers to support cross-site access control, making it possible to securely transmit cross-site data, this mechanism is extended in several ways:

• Access-Control-Allow-Orign should be added to the response header to indicate which request sources are allowed to Access resource content.
• The browser verifies the value in the request source and response.
• For cross-origin requests, the browser will pre-send a non-simple request to determine whether the given resource is ready to accept cross-origin Resource Access
• The server application checks the Orign in the request header to determine whether the request is cross-origin.

Cross-source Resource Sharing Standard

The cross-source resource sharing standard adds a series of HTTP headers so that the server can declare which sources can access resources on the server through a browser. In addition, for HTTP request methods that will cause destructive responses to server data (especially HTTP methods other than GET or some MIME-type POST requests ), the standard strongly requires the browser to send a preflight request in the OPTIONS request method to obtain the HTTP method supported by the server for cross-source requests. When the server allows cross-source requests, the actual HTTP request method is used to send the real request. The server can also notify the client whether credit information (including Cookies and HTTP authentication data) needs to be sent along with the request ).

Cross-source sharing standards can be completed only when the browser and the server work together. Currently, browser vendors can automatically complete requests. Therefore, cross-source Resource Access focuses on the server side.

Some standard response headers and request headers are listed below.

Response Header

• Access-Control-Allow-Origin: Specifies which request sources are allowed to Access resources. The value can be "*", "null", or a single source address.
• Access-Control-Allow-Credentials: Specifies whether the response is exposed when the creadentials ID is omitted in the request. For a pre-request, it indicates that the actual request can contain user creden.
• Access-Control-Expose-Headers: Specifies the header information that can be safely exposed to the cors api standard API.
• Access-Control-Max-Age: Specifies how long a pre-request can be stored in the pre-request cache.
• Access-Control-Allow-Methods: for pre-requests, which request Methods can be used for actual requests.
• Access-Control-Allow-Headers: Specifies the header information that can be used in a pre-request.
• Origin: Specifies the source of the pre-request or cross-Origin request.
• Access-Control-Request-Method: Specifies the pre-requests that can be used in actual requests.
• Access-Control-Request-Headers: Specifies the header information in the pre-Request that can be used in the actual Request.

Request Header

• Origin: indicates the source of the request or pre-request.
• Access-Control-Request-Method: This Request header is included when a pre-Request is sent, indicating the actual Request Method.
• Access-Control-Request-Headers: indicates the Request header carried by the actual Request when a pre-Request is sent.

Middleware

When cross-origin requests are allowed in Laravel, we can build an append response middleware to add Response Headers specifically for cross-origin requests:

<?php namespace App\Http\Middleware;use Closure;use Response;class EnableCrossRequestMiddleware { /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle($request, Closure $next) { $response = $next($request);  $response->header('Access-Control-Allow-Origin', config('app.allow'));  $response->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Cookie, Accept');  $response->header('Access-Control-Allow-Methods', 'GET, POST, PATCH, PUT, OPTIONS');  $response->header('Access-Control-Allow-Credentials', 'true');  return $response; }}

Note the following:

• For requests that require cross-origin access along with authentication information, you must specify withCredentials as true in the XMLHttpRequest instance.
• You can build this middleware based on your own needs. If you need to add authentication information (including cookie and session) in the request, you need to specify Access-Control-Allow-Credentials to true, because if you do not specify the Response Header for the pre-request, the browser will ignore the response directly.
• When the value of Access-Control-Allow-Credentials is set to true in the response, the value of Access-Control-Allow-Origin cannot be *
• The post-middleware will be appended with the response header only when the response is normal. If an exception occurs, the response will not go through the middleware.

Summary

The above is all the content of this article. I hope the content of this article will help you in your study or work. If you have any questions, please leave a message, thank you for your support.