COR和网络资源 [英] Cors and web resource
问题描述
我试图弄清楚什么是cors。
在MDN中描述为:
Im trying to figure what is cors. In MDN it describe as :
资源从其他域请求资源时会发出跨域HTTP请求
A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which the first resource itself serves.
我不确定我知道什么是网络资源。
另外,我了解到cors cors允许我通过将域放在标头中来使用我域中另一个域的Web资源,但这仅仅是约定还是其他?
Im not sure I know what is a web resource. In addition, I understand thats cors allows me to use web resource from another domain in my domain by putting the domain in the header, but is it just convention or something more than that?
推荐答案
让我尝试简短说明。
网络资源
网络资源是您在网络上要求的任何内容。可能是图像,json负载,pdf,html页面等。
A web resource is anything you request on the web. That could be an image, a json payload, a pdf, an html-page etc. There's not more to it than that.
CORS
当您想在浏览器中进行ajax请求(通常是从javascript)时,通常仅限于对同一域中的资源(URL)进行请求。例如。 www.x.com 只能从 www.x.com 请求资源。假设您在 www.x.com 上有一个网页,希望从 api.x.com 。除非服务器( api.x.com )启用了CORS,否则这是不可能的。
When you want to do an ajax-request in a browser (typically from javascript), you are typically limited to making requests to resources (url's) on the same domain. Eg. www.x.com can only request resources from www.x.com. Let's imagine you have a web page on www.x.com that want's to get a resource from api.x.com. This will not be possible unless the server (api.x.com) has CORS enabled.
那怎么办这行得通?嗯,流程是这样的(简化了很多)。
So how does it work? Well, the flow is like this (simplified a lot).
当您执行ajax请求时,例如对JSON有效负载的GET请求,浏览器会看到并向服务器发出OPTIONS请求,并在其中声明自己是谁( Origin 标头中的 www.x.com )。然后,服务器应该回答一个带有标题的响应,说 www.x.com 可以执行GET请求。服务器通过添加标题 Access-Control-Allow-Origin:www.x.com 来完成此操作。如果允许的来源与请求中的来源相匹配,则浏览器将发出GET请求,并且服务器将返回json有效负载。如果允许的来源不匹配,浏览器将拒绝执行该请求,并在控制台中显示错误。
When you do a ajax-request, for instance a GET request for a json payload, the browser sees this and issues an OPTIONS request to server in which it states who it is (www.x.com in the Origin header). The server is then supposed to answer with a response with a header saying that it is ok for www.x.com to do the GET request. The server does this by adding a header Access-Control-Allow-Origin: www.x.com. If the allowed origin matches the origin in the request, the browser issues the GET request and the json payload is returned by the server. If the allowed origin does not match, the browser refuses to do the request and shows an error in the console.
如果您正在使用客户端( www.x.com ),并且正在使用-假设是jquery-您无需执行任何操作。一切都会自动发生。
If you are doing the client (www.x.com), and are using - lets say jquery - you don't have to do anything. Everything happens automatically.
如果您正在使用服务器( api.x.com ),则必须启用CORS。这样做的方式差异很大,但是 http://enable-cors.org/server.html 有一个很好的指南,说明如何在不同的服务器类型上执行此操作。他们还提供了有关其工作原理的更多深入指南。具体来说,您可能想在这里看看 https://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
If you are doing the server (api.x.com), you have to enabled CORS. How this is done varies a lot but http://enable-cors.org/server.html has a nice guide on how to do it on different server types. They also have some more in depth guides on how it works. Specifically you might wanna take a look here https://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/
希望这对您有所帮助
这篇关于COR和网络资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
