启用 CORS 的服务器不拒绝请求 [英] CORS-enabled server not denying requests

问题描述

我正在尝试将 express Cors 与我的 resitfy 服务器一起使用，但它似乎不是拒绝来自其他 ip 的请求.我在本地工作，所以我尝试将 origin 设置为随机公共 ip，但我的所有请求仍在通过

I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

这是我的路线:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

这是我设置了随机 IP 的 cors.json 文件:

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

在路线上设置 cors 后，我可以在邮递员中看到以下内容，但请求仍在通过?我希望得到拒绝访问的响应.

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin →http://172.16.12.123

Access-Control-Allow-Origin →http://172.16.12.123

推荐答案

CORS 配置本身不会导致服务器拒绝请求.不能仅通过 CORS 配置导致服务器端请求阻塞.

CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration.

当您使用 CORS 支持对其进行配置时，服务器所做的唯一不同就是发送 Access-Control-Allow-Origin 响应标头和其他 CORS 响应标头.就是这样.

The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

跨域限制的实际执行仅由浏览器完成，而不是由服务器完成.

Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

因此，无论您对服务器进行何种服务器端 CORS 配置，服务器仍会继续接受来自所有客户端和源的请求；换句话说，来自所有来源的所有客户端仍然继续从服务器获取响应，就像他们在其他情况下一样.

So no matter what server-side CORS configuration you make to a server, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

但是浏览器只会将来自跨源请求的响应暴露给在特定源运行的前端 JavaScript 代码，如果请求被发送到选择加入的服务器通过响应 Access-Control-Allow-Origin 允许该来源的标头.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

这是您使用 CORS 配置唯一可以做的事情.您不能仅通过执行任何服务器端 CORS 配置来使服务器仅接受和响应来自特定来源的请求.为此，您需要使用的不仅仅是 CORS 配置.

That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

这篇关于启用 CORS 的服务器不拒绝请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！