Detailed explanation of how to enable laravel's cross-domain functionality

This article mainly introduces you to the relevant information on how to enable cross-domain functions in Laravel. The article introduces it in great detail through sample code. It has certain reference learning value for everyone's study or work. Friends who need it can follow below. Let’s learn together.

Preface

This article mainly introduces to you the relevant content about laravel enabling cross-domain functions, and shares it for your reference and study. The following words Not much more to say, let’s take a look at the detailed introduction.

Cross-domain requests

For security reasons, browsers will limit cross-domain requests in Script. Since XMLHttpRequest follows the same-origin policy, all applications that use XMLHttpRequest to construct HTTP requests can only access their own domain names. If they need to construct cross-domain requests, developers need to cooperate with the browser to make some configurations that allow cross-domain requests.

The W3C Application Working Group recommends a cross-resource sharing mechanism that allows Web application servers to support cross-site access control, thereby making it possible to secure cross-site data transmission. This mechanism uses several This method extends the original mode:

• The response header should be appended with Access-Control-Allow-Orign to indicate which request sources are allowed to access resource content

• The browser will verify the match between the request source and the value in the response

• For cross-domain requests, the browser will pre-send a non-simple method to determine whether a given resource is ready to accept cross-domain resource access

• The server application determines whether the request is cross-domain by checking the Orign in the request header.

Cross-origin resource sharing standard

The cross-origin resource sharing standard allows the server to Can declare which sources can access resources on this server through browsers. In addition, for HTTP request methods that will cause destructive responses to server data (especially HTTP methods other than GET, or POST requests with certain MIME types), the standard strongly requires that the browser must first send a preset request in the OPTIONS request method. request (preflight request) to obtain the HTTP methods supported by the server for cross-origin requests. After confirming that the server allows cross-origin requests, send the real request with the actual HTTP request method. The server can also notify the client whether credit information (including cookies and HTTP authentication related data) needs to be sent along with the request.

The cross-origin sharing standard requires the cooperation of the browser and the server to complete. Currently, browser manufacturers can automatically complete the request part, so the focus of cross-origin resource access is still on the server side.

The following lists some response headers and request headers available in the standard.

Response Header

• Access-Control-Allow-Origin: Indicates which request sources are allowed to access resources, the value can be "*", "null", or a single source address.

• Access-Control-Allow-Credentials : Indicates whether the response is exposed when the creadentials identifier is omitted from the request. For pre-requests, it indicates that the user credentials can be included in the actual request.

• Access-Control-Expose-Headers : Specifies which header information can be safely exposed to the API of the CORS API specification.

• Access-Control-Max-Age : Indicates how long pre-requests can be stored in the pre-request cache.

• Access-Control-Allow-Methods: For pre-requests, which request methods can be used for actual requests.

• Access-Control-Allow-Headers: For pre-requests, indicates which header information can be used in the actual request.

• Origin: Indicates the origin of pre-request or cross-domain request.

• Access-Control-Request-Method: For pre-requests, indicate which request methods in pre-requests can be used in actual requests.

• Access-Control-Request-Headers: Indicates which header information in the pre-request can be used in the actual request.

Request Header

• Origin: Indicates the origin of the request or pre-request.

• Access-Control-Request-Method: Bring this request header when sending a pre-request to indicate the request method that will be used in the actual request.

• Access-Control-Request-Headers: This request header is included when sending the pre-request, indicating the request headers that the actual request will carry.

Middleware

To allow cross-domain requests in Laravel, we can build a middleware that appends responses to add special processing for cross-domain requests. The response header of the domain request:

<?php namespace App\Http\Middleware;

use Closure;
use Response;
class EnableCrossRequestMiddleware {

 /**
 * Handle an incoming request.
 *
 * @param \Illuminate\Http\Request $request
 * @param \Closure $next
 * @return mixed
 */
 public function handle($request, Closure $next)
 {

 $response = $next($request);
  $response->header(&#39;Access-Control-Allow-Origin&#39;, config(&#39;app.allow&#39;));
  $response->header(&#39;Access-Control-Allow-Headers&#39;, &#39;Origin, Content-Type, Cookie, Accept&#39;);
  $response->header(&#39;Access-Control-Allow-Methods&#39;, &#39;GET, POST, PATCH, PUT, OPTIONS&#39;);
  $response->header(&#39;Access-Control-Allow-Credentials&#39;, &#39;true&#39;);
  return $response;
 }

}

There are the following things to note:

• For cross-domain access requests that need to be accompanied by authentication information, you need to specify withCredentials as true in the XMLHttpRequest instance.

• You can build this middleware according to your own needs. If you need to include authentication information (including cookie, session) in the request, then you need to specify Access-Control-Allow-Credentials as true, Because for pre-requests, if you do not specify the response header, the browser will simply ignore the response.

• When Access-Control-Allow-Credentials is specified as true in the response, Access-Control-Allow-Origin cannot be specified as *

• Post-middleware will only add response headers when responding normally. If an exception occurs, the response will not go through the middleware.

The above is the detailed content of Detailed explanation of how to enable laravel's cross-domain functionality. For more information, please follow other related articles on the PHP Chinese website!