程序包 cn.taketoday.web.annotation

Annotation Interface CrossOrigin

@Documented
@Target({TYPE,METHOD})
@Retention(RUNTIME)
public @interface CrossOrigin

Annotation for permitting cross-origin requests on specific handler classes and/or handler methods. Processed if an appropriate HandlerMapping is configured.

The rules for combining global and local configuration are generally additive -- e.g. all global and all local origins. For those attributes where only a single value can be accepted such as allowCredentials and maxAge, the local overrides the global value. See CorsConfiguration.combine(CorsConfiguration) for more details.

从以下版本开始:

2019-12-08 18:14

作者:

Russell Allen, Sebastien Deleuze, Sam Brannen, Harry Yang

可选元素概要

可选元素

修饰符和类型	可选元素	说明
String	allowCredentials	Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint.
String[]	allowedHeaders	The list of request headers that are permitted in actual requests, possibly "*" to allow all headers.
String[]	exposedHeaders	The List of response headers that the user-agent will allow the client to access on an actual response, possibly "*" to expose all headers.
long	maxAge	The maximum age (in seconds) of the cache duration for preflight responses.
HttpMethod[]	methods	The list of supported HTTP request methods.
String[]	originPatterns	Alternative to origins() that supports more flexible origin patterns.
String[]	origins	A list of origins for which cross-origin requests are allowed.
String[]	value	Alias for origins().

元素详细资料

value

@AliasFor("origins")
String[] value

Alias for origins().

默认值:

{}

origins

@AliasFor("value")
String[] origins

A list of origins for which cross-origin requests are allowed. Please, see CorsConfiguration.setAllowedOrigins(List) for details.

By default all origins are allowed unless originPatterns() is also set in which case originPatterns is used instead.

默认值:

{}

originPatterns

String[] originPatterns

Alternative to origins() that supports more flexible origin patterns. Please, see CorsConfiguration.setAllowedOriginPatterns(List) for details.

By default this is not set.

默认值:

{}

allowedHeaders

String[] allowedHeaders

The list of request headers that are permitted in actual requests, possibly "*" to allow all headers. Please, see CorsConfiguration.setAllowedHeaders(List) for details.

By default all requested headers are allowed.

默认值:

{}

exposedHeaders

String[] exposedHeaders

The List of response headers that the user-agent will allow the client to access on an actual response, possibly "*" to expose all headers. Please, see CorsConfiguration.setExposedHeaders(List) for details.

By default no headers are listed as exposed.

默认值:

{}

methods

HttpMethod[] methods

The list of supported HTTP request methods. Please, see CorsConfiguration.setAllowedMethods(List) for details.

By default the supported methods are the same as the ones to which a controller method is mapped.

默认值:

{}

allowCredentials

String allowCredentials

Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. Please, see CorsConfiguration.setAllowCredentials(Boolean) for details.

NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

默认值:

""

maxAge

long maxAge

The maximum age (in seconds) of the cache duration for preflight responses.

This property controls the value of the Access-Control-Max-Age response header of preflight requests.

Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.

By default this is set to 1800 seconds (30 minutes).

默认值:

-1L