CORS 允许来源限制不会导致服务器拒绝请求 [英] CORS allowed-origin restrictions aren’t causing the server to reject requests
问题描述
我使用的是 Spring Boot v1.5.1,似乎我对 CORS 来源的限制不起作用.
I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.
我的 application.properties 文件有以下一行 (ref1 ref2).
My application.properties file has the following line (ref1 ref2).
endpoints.cors.allowed-origins=http://mydomain.io
我的 REST 控制器如下所示.
My REST controller looks like the following.
@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
@Autowired
private CarService carService;
@GetMapping
public Car get() {
return carService.getLatest();
}
}
但是,当我打开浏览器并输入 http://localhost:8080/api/car
时,我仍然可以访问 REST 端点.
However, when I open up a browser and type in http://localhost:8080/api/car
I am still able to access the REST endpoint.
我也尝试如下更改我的注释,但这不起作用.
I also tried to change my annotation as follows, but that does not work.
@CrossOrigin("${endpoints.cors.allowed-origins}")
对我做错了什么有任何想法吗?
Any ideas on what I'm doing wrong?
请注意,我没有像这样使用 WebMvcConfigurerAdapter
post一>.我真的需要扩展这个类来显式控制起源吗?我认为除了属性文件设置之外,@CrossOrigin
注释将能够控制允许的来源(而不是必须以编程方式进行).
Note that I am not using WebMvcConfigurerAdapter
like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin
annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).
推荐答案
但是,当我打开浏览器并输入 http://localhost:8080/api/car 时,我仍然能够访问 REST 端点.
However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
CORS allowed-origins 设置不会导致服务器阻止请求.
CORS allowed-origins settings don’t cause servers to block requests.
而且由于服务器不会阻止请求,因此不会阻止您直接在浏览器中打开 URL.
And because the server isn’t blocking the request, that doesn’t prevent you from opening the URL directly in a browser.
同源策略是强加跨域限制的策略,同源策略仅适用于在 Web 浏览器中运行的 Web 应用程序中的前端 JavaScript,并且使用 XHR 或 Fetch 或 jQuery $.ajax(...)
或其他任何发出跨域请求的内容.
The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to frontend JavaScript in web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…)
or whatever to make cross-origin requests.
因此 CORS 不是导致服务器阻止请求的方法.因此,它也不是阻止用户直接导航到 URL 的方法,也不是阻止任何非网络应用程序工具(如 curl
或 Postman 或其他任何工具)的方法访问 URL.
So CORS isn’t a way to cause servers to block requests. And so it also isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent any non-web-application tools like curl
or Postman or whatever from accessing the URL.
这篇关于CORS 允许来源限制不会导致服务器拒绝请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!