http-headers - 我怎么知道哪些 access-control-allow-headers 允许 CORS？

Question

鉴于这些请求 header :

Host: api.example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Origin: https://web.example.org
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

以及这些响应头:

Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Tue, 13 Oct 2015 10:57:34 GMT
Server: nginx/1.8.0
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: PUT, DELETE, PATCH
access-control-allow-origin: *

即使只有 Authorization 这也有效和 Content-Type标题是明确允许的。为什么我不必允许浏览器发送的其他 header ？ (例如 DNT)

更新 : this MDN page包含简单 header 的概述(默认的 CORS 安全列表请求 header ):

A simple header (or CORS-safelisted request header) is one of thefollowing HTTP headers:

• Accept
• Accept-Language
• Content-Language
• Content-Type with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.

Or one of these client hint headers:

• DPR
• Downlink
• Save-Data
• Viewport-Width
• Width

Answer 1

没有看到您生成 header 的代码，或者您在哪个系统上提供服务，即 nginx 或 apache，我能做的最好的事情就是将您推荐给 http://client.cors-api.appspot.com/client这将允许您测试您的 CORS 请求。另外，你应该看看http://enable-cors.org/server.html用于您的特定设置。例如在 nginx 上，你可以有这样的东西

add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

有一组普通标题，然后是您必须明确调用的一组标题。见 http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server关于在服务器上设置它。