Java的CORS错误，但Python/PHP却没有 [英] CORS error with Javascript but not with Python/PHP

问题描述

我正在编写一个小脚本来访问外部API进行工作.我最初是用Python完成的，并且一切正常.

I'm writing a small script to access an external API for work. I originally did this in Python and everything worked fine.

然后，我被要求尝试使用Javascript进行操作.现在，我并不是真正的程序员，但是我确实知道(或相信)Javascript主要用于客户端，而PHP或Python确实用于服务器端操作.当我用Python编写脚本时，我没有遇到任何问题，但是在Javascript中，我得到了

I was then asked to try and do it in Javascript. Now, I'm no programmer really, but I do know (or believe) that Javascript is largely for client-side, whereas PHP or Python are really for server-side operations. When I wrote the script in Python I had no problems, but in Javascript I get a

Response to preflight request doesn't pass access control check: No 
'Access-Control-Allow-Origin' header is present on the requested
resource.

错误.根据我对CORS的了解，此处以及在Stack上的类似问题，这是有道理的，但是我真的不明白为什么我在Python或PHP中没有得到类似的错误...

error. From what I've read about CORS here and similar questions on Stack, that makes sense, but I don't really understand why I don't get a similar error in Python or PHP...

我对此很陌生，所以我可能会错过很多事情，但是我真的很感谢任何人都能给我的见解.如果我遗漏了任何重要信息，请告诉我.

I'm fairly new to this so I'm probably missing a number of things, but I'd really appreciate any insight anyone can give me. If I've left out any important info, please let me know.

推荐答案

来自

出于安全原因，浏览器限制了从脚本内部发起的跨域HTTP请求.例如，XMLHttpRequest和Fetch遵循同源策略.因此，使用XMLHttpRequest或Fetch的Web应用程序只能向其自己的域发出HTTP请求.

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and Fetch follow the same-origin policy. So, a web application using XMLHttpRequest or Fetch could only make HTTP requests to its own domain.

由于浏览器中的Javascript使用XMLHttpRequest和fetch发出HTTP请求，因此必须遵守CORS政策.

Since Javascript in the browser uses XMLHttpRequest and fetch to make HTTP requests, they're subject to CORS policy enforcement.

有关 CORS的原因的更多信息:

CORS旨在允许资源主机(通过HTTP提供其数据的任何服务)限制哪些网站可以访问该数据.

CORS is intended to allow resource hosts (any service that makes its data available via HTTP) to restrict which websites may access that data.

示例:您正在托管一个显示流量数据的网站，并且您正在网站上使用AJAX请求.如果不存在SOP和CORS，则任何其他网站都可以通过简单地AJAX到您的端点来显示您的流量数据.任何人都可以轻松地窃取"您的数据，从而窃取您的用户和资金.

Example: You are hosting a website that shows traffic data and you are using AJAX requests on your website. If SOP and CORS were not there, any other website could show your traffic data by simply AJAXing to your endpoints; anyone could easily "steal" your data and thus your users and your money.

您使用的外部API可能有意实施了CORS策略.例如，如果API需要用于身份验证的应用程序级密钥，则CORS策略会阻止在公共环境(即浏览器)中使用该密钥.另外，API可能会列出CORS可接受的域名列表，其中不包括您当前正在使用的域.

The external API you're using likely implemented a CORS policy intentionally. For example, if the API requires an application-level secret key for authentication, a CORS policy would discourage the use of that key in a public environment (namely the browser). Alternatively, the API may have a list of acceptable domain names for CORS that doesn't include the domain you're currently using.

这些只是几个例子； API可能会出于多种原因实现CORS标头.

Those are just a few examples; there could be any number of reasons for an API to implement CORS headers.

这篇关于Java的CORS错误，但Python/PHP却没有的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！