diff --git a/app/common/middleware/AllowCrossDomain.php b/app/common/middleware/AllowCrossDomain.php index 1207115..34a608e 100644 --- a/app/common/middleware/AllowCrossDomain.php +++ b/app/common/middleware/AllowCrossDomain.php @@ -30,7 +30,7 @@ class AllowCrossDomain implements MiddlewareInterface 'Access-Control-Allow-Credentials' => 'true', 'Access-Control-Max-Age' => '1800', 'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, PATCH, OPTIONS', - 'Access-Control-Allow-Headers' => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang, server', + 'Access-Control-Allow-Headers' => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang', ]; $origin = $request->header('origin'); if (is_array($origin)) { @@ -48,6 +48,14 @@ class AllowCrossDomain implements MiddlewareInterface || ($host === 'localhost' || $host === '127.0.0.1'); if ($allowed) { $header['Access-Control-Allow-Origin'] = $origin; + // 回显浏览器在预检中声明的请求头,避免白名单遗漏导致 CORS 失败 + $reqHeaders = $request->header('access-control-request-headers', ''); + if (is_array($reqHeaders)) { + $reqHeaders = $reqHeaders[0] ?? ''; + } + if (is_string($reqHeaders) && trim($reqHeaders) !== '') { + $header['Access-Control-Allow-Headers'] = $reqHeaders; + } } } return response('', 204, $header); diff --git a/web/src/utils/axios.ts b/web/src/utils/axios.ts index 19d6fa6..52bebaf 100644 --- a/web/src/utils/axios.ts +++ b/web/src/utils/axios.ts @@ -51,7 +51,6 @@ function createAxios>(axiosConfig: AxiosRequest timeout: 1000 * 10, headers: { 'think-lang': config.lang.defaultLang, - server: true, }, responseType: 'json', })