1. <small id='d6gea'></small><noframes id='d6gea'>

    <i id='d6gea'><tr id='d6gea'><dt id='d6gea'><q id='d6gea'><span id='d6gea'><b id='d6gea'><form id='d6gea'><ins id='d6gea'></ins><ul id='d6gea'></ul><sub id='d6gea'></sub></form><legend id='d6gea'></legend><bdo id='d6gea'><pre id='d6gea'><center id='d6gea'></center></pre></bdo></b><th id='d6gea'></th></span></q></dt></tr></i><div id='d6gea'><tfoot id='d6gea'></tfoot><dl id='d6gea'><fieldset id='d6gea'></fieldset></dl></div>
    <tfoot id='d6gea'></tfoot>
    • <bdo id='d6gea'></bdo><ul id='d6gea'></ul>

      <legend id='d6gea'><style id='d6gea'><dir id='d6gea'><q id='d6gea'></q></dir></style></legend>
    1. 为什么禁止没有凭据的 CORS?

      Why is CORS without credentials forbidden?(为什么禁止没有凭据的 CORS?)

      • <i id='MSxw1'><tr id='MSxw1'><dt id='MSxw1'><q id='MSxw1'><span id='MSxw1'><b id='MSxw1'><form id='MSxw1'><ins id='MSxw1'></ins><ul id='MSxw1'></ul><sub id='MSxw1'></sub></form><legend id='MSxw1'></legend><bdo id='MSxw1'><pre id='MSxw1'><center id='MSxw1'></center></pre></bdo></b><th id='MSxw1'></th></span></q></dt></tr></i><div id='MSxw1'><tfoot id='MSxw1'></tfoot><dl id='MSxw1'><fieldset id='MSxw1'></fieldset></dl></div>

        <small id='MSxw1'></small><noframes id='MSxw1'>

                <tbody id='MSxw1'></tbody>
            • <tfoot id='MSxw1'></tfoot>
              <legend id='MSxw1'><style id='MSxw1'><dir id='MSxw1'><q id='MSxw1'></q></dir></style></legend>
                <bdo id='MSxw1'></bdo><ul id='MSxw1'></ul>
                本文介绍了为什么禁止没有凭据的 CORS?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                问题描述

                限时送ChatGPT账号..

                我试图理解为什么不允许没有凭据的跨域请求(默认情况下,没有设置服务器来返回 Access-Control-Allow-Origin 标头).当请求具有凭据时,一切都非常简单 - 如果您已登录,则可以代表您在其他网站上执行一些恶意操作,例如在 Facebook 上.

                I'm trying to understand why cross-domain requests without credentials are not allowed (by default, without setting up a server to return the Access-Control-Allow-Origin header). When a request has credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on Facebook, if you have logged in on it.

                例如请求

                xhr = new XMLHttpRequest();
                xhr.open('GET', 'http://www.google.com');
                xhr.send();
                

                产生错误(我从这个站点在 Chrome 的控制台中执行它):

                produces the error (I executed it in Chrome's console from this site):

                XMLHttpRequest 无法加载 http://www.google.com/.不请求中存在Access-Control-Allow-Origin"标头资源.因此,来源 'http://stackoverflow.com' 是不允许的访问.

                XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.

                因此,服务器必须发送适当的标头(例如 Access-Control-Allow-Origin: * )才能使该请求起作用.

                So, the server must send an appropriate header (e.g Access-Control-Allow-Origin: * ) to this request can work.

                这只是一个简单的请求,不会发送任何 cookie.这种限制的原因是什么?如果允许此类 CORS,可能会出现哪些安全问题?

                This is just a simple request and no cookies are sent. What's the reason for such a restriction? What security issues might take place if such CORS will be allowed?

                没有凭据 - 没有 cookie:XMLHTTPRequest 的默认设置是 withCredentials = false,因此请求中不会发送任何 cookie - 链接.

                without credentials - without cookies: default settings for XMLHTTPRequest is withCredentials = false, so no cookies are sent in the request - link.

                推荐答案

                我会继续从 Security.SE 的 为什么需要 Access-Control-Allow-Origin 标头?

                I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?

                这里主要关注的是基于网络拓扑的访问控制.假设您在家庭网络上运行 HTTP 服务(事实上,如果您的路由器本身具有 Web 界面,您几乎肯定会这样做).我们将此服务称为 R,只有连接到家庭路由器的机器才能访问该服务.

                The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R, and the only machines connected to your home router can get to the service.

                当您的浏览器访问 evil.example.com 时,该站点会为您的浏览器提供一个脚本,告诉它获取 R 的内容并将其发送回 evil.example.com.即使没有凭据,这也可能很糟糕,因为它违反了本地网络之外的任何人都无法查看本地网络内运行的服务的假设.同源策略阻止了这种情况的发生.如果同源策略仅在涉及凭据时发挥作用,则可能会绕过基于拓扑的保护.

                When your browser visits evil.example.com, that site serves your browser a script, telling it to fetch the contents of R and send it back to evil.example.com. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.

                还要考虑一些公共服务允许基于 IP 地址的访问:

                Consider also that some public services allow access based on IP address:

                • 牛津英语词典将其在线条目的访问权限限制为来自订阅大学的 IP 地址
                • 英国将 BBC 内容的访问权限限制在国内的 IP 地址内

                在此处列出的所有情况下,浏览器都可能被用作任何为其提供脚本的网站的不知情代理.

                In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.

                这篇关于为什么禁止没有凭据的 CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

                相关文档推荐

                SCRIPT5: Access is denied in IE9 on xmlhttprequest(SCRIPT5:在 IE9 中对 xmlhttprequest 的访问被拒绝)
                XMLHttpRequest module not defined/found(XMLHttpRequest 模块未定义/未找到)
                Show a progress bar for downloading files using XHR2/AJAX(显示使用 XHR2/AJAX 下载文件的进度条)
                How can I open a JSON file in JavaScript without jQuery?(如何在没有 jQuery 的情况下在 JavaScript 中打开 JSON 文件?)
                How do I get the HTTP status code with jQuery?(如何使用 jQuery 获取 HTTP 状态码?)
                quot;Origin null is not allowed by Access-Control-Allow-Originquot; in Chrome. Why?(“Access-Control-Allow-Origin 不允许 Origin null在铬.为什么?)

                <small id='W6piC'></small><noframes id='W6piC'>

                <tfoot id='W6piC'></tfoot>
                  <tbody id='W6piC'></tbody>

                    <legend id='W6piC'><style id='W6piC'><dir id='W6piC'><q id='W6piC'></q></dir></style></legend>
                    <i id='W6piC'><tr id='W6piC'><dt id='W6piC'><q id='W6piC'><span id='W6piC'><b id='W6piC'><form id='W6piC'><ins id='W6piC'></ins><ul id='W6piC'></ul><sub id='W6piC'></sub></form><legend id='W6piC'></legend><bdo id='W6piC'><pre id='W6piC'><center id='W6piC'></center></pre></bdo></b><th id='W6piC'></th></span></q></dt></tr></i><div id='W6piC'><tfoot id='W6piC'></tfoot><dl id='W6piC'><fieldset id='W6piC'></fieldset></dl></div>

                      <bdo id='W6piC'></bdo><ul id='W6piC'></ul>