使用 API Gateway 导入 API 在资源上启用 CORS
如果您使用 API Gateway 导入 API,则可以使用 OpenAPI 文件设置 CORS 支持。您必须先在您的资源中定义可返回所需标头的 OPTIONS 方法。
Web 浏览器预计接受 CORS 请求的每个 API 方法中会设置 Access-Control-Allow 标头和 Access-Control-Allow-Origin 标头。此外,某些浏览器首先向同一资源中的 OPTIONS 方法发出 HTTP 请求,然后预计收到相同的标头。
以下示例创建了一个 OPTIONS 方法以进行模拟集成。
- OpenAPI 3.0
-
/users: options: summary: CORS support description: | Enable CORS by returning correct headers tags: - CORS responses: 200: description: Default response for CORS method headers: Access-Control-Allow-Origin: schema: type: string Access-Control-Allow-Methods: schema: type: string Access-Control-Allow-Headers: schema: type: string content: {} x-amazon-apigateway-integration: type: mock requestTemplates: application/json: | { "statusCode" : 200 } responses: default: statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Headers: '''Content-Type,X-Amz-Date,Authorization,X-Api-Key''' method.response.header.Access-Control-Allow-Methods: '''*''' method.response.header.Access-Control-Allow-Origin: '''*''' responseTemplates: application/json: | {} - OpenAPI 2.0
-
/users: options: summary: CORS support description: | Enable CORS by returning correct headers consumes: - application/json produces: - application/json tags: - CORS x-amazon-apigateway-integration: type: mock requestTemplates: application/json: | { "statusCode" : 200 } responses: "default": statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'" method.response.header.Access-Control-Allow-Methods : "'*'" method.response.header.Access-Control-Allow-Origin : "'*'" responseTemplates: application/json: | {} responses: 200: description: Default response for CORS method headers: Access-Control-Allow-Headers: type: "string" Access-Control-Allow-Methods: type: "string" Access-Control-Allow-Origin: type: "string"
在您为资源配置 OPTIONS 方法后,可以将所需的标头添加到同一资源中需要接受 CORS 请求的其他方法。
-
将 Access-Control-Allow-Origin 和 Headers (标头) 声明为响应类型。
- OpenAPI 3.0
-
responses: 200: description: Default response for CORS method headers: Access-Control-Allow-Origin: schema: type: string Access-Control-Allow-Methods: schema: type: string Access-Control-Allow-Headers: schema: type: string content: {} - OpenAPI 2.0
-
responses: 200: description: Default response for CORS method headers: Access-Control-Allow-Headers: type: "string" Access-Control-Allow-Methods: type: "string" Access-Control-Allow-Origin: type: "string"
-
在
x-amazon-apigateway-integration标签中,为这些标头设置到静态值的映射:- OpenAPI 3.0
-
responses: default: statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Headers: '''Content-Type,X-Amz-Date,Authorization,X-Api-Key''' method.response.header.Access-Control-Allow-Methods: '''*''' method.response.header.Access-Control-Allow-Origin: '''*''' responseTemplates: application/json: | {} - OpenAPI 2.0
-
responses: "default": statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key'" method.response.header.Access-Control-Allow-Methods : "'*'" method.response.header.Access-Control-Allow-Origin : "'*'"
使用控制台启用 CORS
测试 CORS