了解 CORS [英] Understanding CORS
问题描述
我一直在网上查看有关 CORS 的信息,我想确认一下我所做的一切是否是真实的.
I've been looking on the web regarding CORS, and I wanted to confirm if whatever I made of it is, what it actually is.
下面提到的是一个完全虚构的场景.
我将举一个普通网站的例子.假设我的 html 页面有一个采用文本字段名称的表单.在提交时,它将表单数据发送到 myPage.php.现在,内部发生的事情是,服务器将请求与文本字段一起发送到 www.mydomain.com/mydirectory/myPage.php.现在,服务器看到请求是从同一个域/端口/协议发出的
I'll take an example of a normal website. Say my html page has a form that takes a text field name. On submitting it, it sends the form data to myPage.php. Now, what happens internally is that, the server sends the request to www.mydomain.com/mydirectory/myPage.php along with the text fields. Now, the server sees that the request was fired off from the same domain/port/protocol
(问题 1. 服务器如何知道所有这些细节.它从哪里提取所有这些细节?)
(Question 1. How does server know about all these details. Where does it extract all these details froms?)
尽管如此,由于请求来自同一个域,它为 php 脚本提供服务并返回它所需的任何内容.
Nonetheless, since the request is originated from same domain, it server the php script and returns whatever is required off it.
现在,为了论证起见,假设我不想在文本字段中手动填充数据,而是想以编程方式进行填充.我所做的是,我使用 javascript 创建一个 html 页面,并发出一个 POST 请求以及参数(即 textField 的值).现在,由于我的请求不是来自任何域,因此服务器不理会我的请求的服务.我得到跨域错误?
Now, for the sake of argument, let's say I don't want to manually fill the data in text field, but instead I want to do it programmatically. What I do is, I create a html page with javascript and fire off a POST request along with the parameters (i.e. values of textField). Now since my request is not from any domain as such, the server disregards the service to my request. and I get cross domain error?
同样,我也可以编写一个 Java 程序,它利用 HTTPClient/Post 请求并做同样的事情.
Similarly, I could have written a Java program also, that makes use of HTTPClient/Post request and do the same thing.
问题 2:这是什么问题?
现在,CORS 为我们提供的是,服务器会说任何人都可以访问 myPage.php".从 enable cors.org 说
Now, what CORS provide us is, that the server will say that 'anyone can access myPage.php'. From enable cors.org it says that
对于简单的 CORS 请求,服务器只需要在其响应中添加以下标头:访问控制允许来源:*
For simple CORS requests, the server only needs to add the following header to its response: Access-Control-Allow-Origin: *
现在,客户端到底要对这个头做什么.就像,客户端无论如何都想调用服务器上的资源,对吗?应该由服务器自行配置是否接受或不接受,并采取相应的行动.
Now, what exactly is the client going to do with this header. As in, the client anyway wanted to make call to the resources on server right? It should be upto server to just configure itself with whether it wants to accept or not, and act accordingly.
问题 3:将标头发送回客户端(已经向服务器发出请求)有什么用?
最后,我不明白的是,假设我正在为我的 android 应用程序构建一些 RESTful 服务.现在,假设我有一个 POST 服务 www.mydomain.com/rest/services/myPost.我的 Tomcat 服务器在我的本地机器上托管这些服务.
And finally, what I don't get is that, say I am building some RESTful services for my android app. Now, say I have one POST service www.mydomain.com/rest/services/myPost. I've got my Tomcat server hosting these services on my local machine.
在我的 android 应用程序中,我只是调用此服务,然后返回结果(如果有).在这种情况下,我究竟在哪里使用了 CORS.这是否属于不同类别的服务器调用?如果是,那么具体如何.
In my android app, I just call this service, and get the result back (if any). Where exactly did I use CORS in this case. Does this fall under a different category of server calls? If yes, then how exactly.
此外,我检查了为 Tomcat 启用 Cors,它说我可以在我的 web.xml 中添加一个过滤器我的动态网络项目,然后它将开始接受它.
Furthermore, I checked Enable Cors for Tomcat and it says that I can add a filter in my web.xml of my dynamic web project, and then it will start accepting it.
问题 4:是什么让我的 Android 设备能够调用我的网络服务?
谢谢
推荐答案
首先,跨域检查由浏览器执行,而不是服务器.当 JavaScript 向其源之外的服务器发出
XmlHttpRequest时,如果浏览器支持 CORS,它将初始化一个 CORS 进程.否则,请求将导致错误(除非用户故意降低浏览器安全性)
First of all, the cross domain check is performed by the browser, not the server. When the JavaScript makes an
XmlHttpRequestto a server other than its origin, if the browser supports CORS it will initialize a CORS process. Or else, the request will result in an error (unless user has deliberately reduced browser security)
当服务器遇到Origin HTTP 标头时,服务器将决定它是否在允许的域列表中.如果它不在列表中,则请求将失败(即服务器将发送错误响应).
When the server encounters Origin HTTP header, server will decide if it is in the list of allowed domains. If it is not in the list, the request will fail (i.e. server will send an error response).
对于数字 3 和 4,我认为您应该提出不同的问题.否则这个问题会变得过于宽泛.而且我认为如果你不移除它,它很快就会接近.
For number 3 and 4, I think you should ask separate questions. Otherwise this question will become too broad. And I think it will quickly get close if you do not remove it.
关于CORS的解释,请看程序员的这个回答:https://softwareengineering.stackexchange.com/a/253043/139479
For an explanation of CORS, please see this answer from programmers: https://softwareengineering.stackexchange.com/a/253043/139479
注意:CORS 更像是一种约定.它不保证安全.您可以编写一个无视相同域策略的恶意浏览器.它将执行从任何站点获取的 JavaScript.您还可以使用任意 Origin 标头创建 HTTP 标头,并从任何实现 CORS 的第三方服务器获取信息.CORS 仅在您信任浏览器时才有效.
NOTE: CORS is more of a convention. It does not guarantee security. You can write a malicious browser that disregards the same domain policy. And it will execute JavaScript fetched from any site. You can also create HTTP headers with arbitrary Origin headers, and get information from any third party server that implements CORS. CORS only works if you trust your browser.
这篇关于了解 CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
