引入飞行前CORS请求背后的动机是什么? [英] What is the motivation behind the introduction of preflight CORS requests?
问题描述
跨源资源共享是一种允许网页向另一个域发出XMLHttpRequest的机制(来自
Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from wikipedia).
在过去的几天里,我一直在和CORS嬉戏,我认为我对所有工作原理都有很好的了解.
I've been fiddling with CORS for the last couple of days and I think I have a pretty good understanding of how everything works.
所以我的问题不是关于CORS/预检如何工作,而是关于将预检作为新请求类型的原因.我看不到任何原因服务器A需要向服务器B发送预检(PR)只是为了确定是否接受实际请求(RR)-B肯定有可能在没有请求的情况下接受/拒绝RR任何以前的公关.
So my question is not about how CORS / preflight work, it's about the reason behind coming up with preflights as a new request type. I fail to see any reason why server A needs to send a preflight (PR) to server B just to find out if the real request (RR) will be accepted or not - it would certainly be possible for B to accept/reject RR without any prior PR.
经过大量搜索后,我在www上发现了这条信息.w3.org(7.1.5):
After searching quite a bit I found this piece of information at www.w3.org (7.1.5):
为了保护资源免受在本规范存在之前可能源自某些用户代理的跨域请求,发出预检请求以确保资源知道这一点规范.
我发现这是有史以来最难理解的句子.我的解释(最好将其称为最佳猜测")是关于保护服务器B免受来自服务器C的不知道该规范的请求的影响.
I find this is the hardest to understand sentence ever. My interpretation (should better call it 'best guess') is that it's about protecting server B against requests from server C that is not aware of the spec.
有人可以解释一种情况/显示PR + RR比单独使用RR更能解决问题吗?
Can someone please explain a scenario / show a problem that PR + RR solves better than RR alone?
推荐答案
我花了一些时间对预检请求的目的感到困惑,但是我现在已经明白了.
I spent some time being confused as to the purpose of the preflight request but I think I've got it now.
关键见解是,飞行前请求不是安全事情.相反,它们是不变的规则.
The key insight is that preflight requests are not a security thing. Rather, they're a not-changing-the-rules thing.
Preflight请求与安全无关,并且与具有CORS意识的当前正在开发的应用程序无关.相反,预检机制会使在没有的情况下开发的服务器没有CORS的好处,并且它充当客户端和服务器之间是否都知道CORS的健全性检查.CORS的开发人员认为那里有足够多的服务器依赖于它们永远不会收到的假设,例如跨域DELETE请求,他们发明了预检机制以允许双方选择加入.他们认为,本来只是允许跨域调用的另一种选择,将破坏太多现有的应用程序.
Preflight requests have nothing to do with security, and they have no bearing on applications that are being developed now, with an awareness of CORS. Rather, the preflight mechanism benefits servers that were developed without an awareness of CORS, and it functions as a sanity check between the client and the server that they are both CORS-aware. The developers of CORS felt that there were enough servers out there that were relying on the assumption that they would never receive, e.g. a cross-domain DELETE request that they invented the preflight mechanism to allow both sides to opt-in. They felt that the alternative, which would have been to simply enable the cross-domain calls, would have broken too many existing applications.
这里有三种情况:
-
旧服务器,已不再开发,并且在CORS之前开发.这些服务器可能会假设它们永远不会收到例如跨域DELETE请求.这种情况是预检机制的主要受益人.是的,这些服务可能已经被恶意或不合格的用户代理滥用(并且CORS对此没有任何改变),但是在CORS的世界中预检机制提供了额外的健全性检查",以使客户端和服务器不会因为网络的基本规则发生变化而中断.
Old servers, no longer under development, and developed before CORS. These servers may make assumptions that they'll never receive e.g. a cross-domain DELETE request. This scenario is the primary beneficiary of the preflight mechanism. Yes these services could already be abused by a malicious or non-conforming user agent (and CORS does nothing to change this), but in a world with CORS the preflight mechanism provides an extra 'sanity check' so that clients and servers don't break because the underlying rules of the web have changed.
仍在开发中的服务器,但其中包含许多旧代码,因此对于所有旧代码进行审核以确保其在跨域环境中正常运行是不可行/不希望的.这种情况允许服务器逐步选择加入CORS,例如通过说现在我将允许这个特定的标头",现在我将允许这个特定的HTTP动词",现在我将允许发送cookie/auth信息"等.预检机制.
Servers that are still under development, but which contain a lot of old code and for which it's not feasible/desirable to audit all the old code to make sure it works properly in a cross-domain world. This scenario allows servers to progressively opt-in to CORS, e.g. by saying "Now I'll allow this particular header", "Now I'll allow this particular HTTP verb", "Now I'll allow cookies/auth information to be sent", etc. This scenario benefits from the preflight mechanism.
编写的具有CORS意识的新服务器.根据标准的安全惯例,服务器必须面对任何传入请求来保护其资源-服务器无法信任客户端不进行恶意操作.此方案无法从预检机制中受益:预检机制不会为已正确保护其资源的服务器带来额外的安全性.
New servers that are written with an awareness of CORS. According to standard security practices, the server has to protect its resources in the face of any incoming request -- servers can't trust clients to not do malicious things. This scenario doesn't benefit from the preflight mechanism: the preflight mechanism brings no additional security to a server that has properly protected its resources.
这篇关于引入飞行前CORS请求背后的动机是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
