diff --git a/app/common/middleware/AllowCrossDomain.php b/app/common/middleware/AllowCrossDomain.php index ede3651..842e724 100644 --- a/app/common/middleware/AllowCrossDomain.php +++ b/app/common/middleware/AllowCrossDomain.php @@ -21,25 +21,6 @@ class AllowCrossDomain implements MiddlewareInterface 'Access-Control-Allow-Headers' => '*', ]; - /** - * 读取预检请求中的 Access-Control-Request-Headers(经 CDN/反代时 Request 可能取不到,补读 $_SERVER) - */ - private static function accessControlRequestHeaders(Request $request): string - { - $reqHeaders = $request->header('access-control-request-headers', ''); - if (is_array($reqHeaders)) { - $reqHeaders = $reqHeaders[0] ?? ''; - } - if (is_string($reqHeaders) && trim($reqHeaders) !== '') { - return trim($reqHeaders); - } - $fromServer = $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ?? ''; - if (is_string($fromServer) && trim($fromServer) !== '') { - return trim($fromServer); - } - return ''; - } - /** * 返回 CORS 预检(OPTIONS)响应,供路由直接调用(Webman 未匹配路由时不走中间件) */ @@ -49,7 +30,7 @@ class AllowCrossDomain implements MiddlewareInterface 'Access-Control-Allow-Credentials' => 'true', 'Access-Control-Max-Age' => '1800', 'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, PATCH, OPTIONS', - 'Access-Control-Allow-Headers' => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang, server', + 'Access-Control-Allow-Headers' => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, server', ]; $origin = $request->header('origin'); if (is_array($origin)) { @@ -67,11 +48,6 @@ class AllowCrossDomain implements MiddlewareInterface || ($host === 'localhost' || $host === '127.0.0.1'); if ($allowed) { $header['Access-Control-Allow-Origin'] = $origin; - // 回显浏览器在预检中声明的请求头,避免白名单遗漏导致 CORS 失败 - $reqHeaders = self::accessControlRequestHeaders($request); - if ($reqHeaders !== '') { - $header['Access-Control-Allow-Headers'] = $reqHeaders; - } } } return response('', 204, $header);