CORS - 它是客户端的东西,服务器端的东西,还是传输层的东西?
我正在尝试了解 CORS.据我了解,它使您能够限制哪些域可以访问服务器上的资源.然而,这似乎不是完整的故事.例如,我有一个未启用 CORS 的 Web 服务.我无法通过 jQuery 从我的 Web 应用程序中访问此 Web 服务(该应用程序在 localhost 上运行).但是,我可以从 Postman 访问 Web 服务.所以,我有点困惑.是否有一些涉及 CORS 的额外客户端工作?
I am trying to understand CORS. From my understanding, it empowers you to limit which domains can access a resource on your server. However, this doesn't seem like the full story. For example, I have a web service without CORS enabled. I cannot hit this web service from my web application via jQuery (the app is running on localhost). However, I can hit the web service from Postman. So, I'm a bit confused. Is there some extra client side work that involves CORS?
推荐答案
服务器负责报告允许的来源.Web 浏览器负责强制要求仅从允许的域发送请求.
The server is responsible for reporting the allowed origins. The web browser is responsible for enforcing that requests are only sent from allowed domains.
CORS 应用于 Origin 标头 包含在请求中.这包括从 JavaScript 和 POST 请求发出的请求.它没有应用所有资源.来源是发出请求的协议、主机和端口.JavaScript 发出的请求使用加载 JavaScript 的源,而不是加载它的源.
CORS is applied to requests when an Origin header is included in the request. This includes requests made from JavaScript and POST requests. It's not applied all resources. The origin is the protocol, host and port that is making the request. Requests made by JavaScript use the origin that loaded the JavaScript, not the origin that it was loaded from.
如果未启用 CORS,浏览器将依赖 同源策略.同源策略仅适用于脚本.浏览器将只允许从与加载页面相同的来源加载脚本.当没有明确允许来源时,假定相同的来源策略.
When CORS is not enabled a browser will rely on the same origin policy. The same origin policy is only applied to scripts. The browser will only allow scripts to be loaded from same origin as the loaded page. The same origin policy is assumed when not origins are explicitly allowed.
浏览器以外的 HTTP 客户端不会使用同源策略或 CORS.这些其他 HTTP 客户端发出的请求没有来源.除非 Postman 桌面应用程序模拟浏览器,否则它将能够向任何 URL 发出请求.
An HTTP client other than a browser won't use either the same origin policy or CORS. Requests made from these other HTTP clients don't have an origin. Unless the Postman desktop app emulates a browser it will be able to make requests to any URL.
需要 CORS 和同源策略,因为浏览器不会隐式信任它访问的网站以向其他网站发出请求.它们不保护源站点,它们保护接收跨源请求的站点.这就是允许的来源取决于目标服务器的原因.
CORS and the same origin policy are needed because a browser does not implicitly trust the websites it visits to make requests to other websites. They don't protect the origin site, they protect the site receiving the cross origin requests. This is why the allowed origins are up to the targeted server.
如果没有这些政策,重复加载网站的简单脚本可能会通过广告网络或脚本注入进行分发,然后任何加载脚本的浏览器都会导致对网站的拒绝服务攻击.使用 CORS 和同源策略,浏览器将限制此脚本的影响.
Without these policies a simple script that repeatedly loads a website could be distributed by ad networks or script injection and then any browser loading the script would contribute to a denial of service attack on the website. With CORS and the same origin policy a browser will limit the impact of this script.
CORS 提供的另一个重要保护是防止 跨站点请求伪造.它可以防止站点向另一个站点发出某些类型的请求.这些请求将使用任何先前创建的令牌(例如会话令牌)发出.
Another important protection CORS provides is to protect against Cross-site request forgery. It prevents a site from making some types of requests to another site. These requests would be made using any previously created tokens, such as session tokens.
以CORS为例:
网络浏览器从 www.example.com
加载页面.该页面包含一个向 www.example.org
发出请求的脚本.请求的来源是 www.example.com
.浏览器要么发出请求,要么首先发送 OPTIONS
请求(预检请求).当 www.example.org
的服务器收到来自 www.example.org
以外的来源的请求时,它会以响应标头 Access-Control-Allow-Origin
告诉浏览器允许发出请求的来源.它还可以响应其他标头,例如 Access-Control-Allow-Methods
和 Access-Control-Allow-Headers
可以限制允许请求的类型.当浏览器被告知允许哪些来源时,它将阻止来自不允许来源的未来请求.
A web browser loads a page from www.example.com
. The page includes a script that makes a request to www.example.org
. The origin of the request is www.example.com
. The browser either makes the request or sends an OPTIONS
request first (the preflight request). When the server at www.example.org
receives a request from an origin other than www.example.org
it responds with a response header Access-Control-Allow-Origin
which tells the browser the origins allowed to make requests. It may also respond with other headers like Access-Control-Allow-Methods
and Access-Control-Allow-Headers
that can restrict the types of allowed requests. When the browser is told what origins are allowed it will block future requests from disallowed origins.
相关文章