这里的文档似乎暗示它允许多个起源与空格分隔的列表，但这不是它的实际意思。这里是我可以收集作为您的问题的最确定的答案：访问控制允许原始头应该与原

The documentation on this seems to imply that it allows multiple origins with a space separated list, but that's not what it actually means. Here's what I could gather as the most definitive answer to your question: the Access-Control-Allow-Origin header should be the same value as the Origin header as long as you want to allow it.

它不是一个白名单，你发送回客户端的原因是因为技术上的客户端可以发送一个空格分隔的源列表，以便服务器可以验证请求。原始列表的目的是因为请求可能来自多个来源（即请求被跨域重定向）。 测试套件使您可以通过不同的重定向可能性轻松地观察此行为，即使空格分隔列表是永远不会生成（至少由Firefox生成）。

The reason it's not a whitelist that you send back to the client is because technically the client can send a space separated list of origins so that the server can validate the request. The purpose of origin list then is because the request could've come from multiple origins (ie. the request was redirected across domains). A test suite makes it easy to observe this behavior with varying redirect possibilities, even though a space separated list is never generated (by Firefox at least).

这在第一个 linked W3C document your provided：

This is illustrated lower in the first linked W3C document you provided:

访问控制-Allow-Origin头通过返回响应中的Origin请求头，*或null的值来指示是否可以共享资源。 ABNF：

The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:

Access-Control-Allow-Origin =Access-Control-Allow-Origin： origin-list-or-null | *

在实践中，origin-list-or-null生成更受约束。

In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".

再次，在一个原始的字符串中， 原始列表的定义。此外，它显示如果你确实希望允许字符串null作为原点，它将无法嵌入到一个原始列表。

And again in the definition of the origin list. In addition it shows if you do want to allow the string "null" as an origin, it wouldn't be able to be embedded in an origin list anyways.

根据客户端的 Origin 标头，以及是否与您的白名单匹配，动态生成标头。

So stick with the dynamically generated header based on the client's Origin header and whether that matches your whitelist.