为什么需要访问控制公开标头? [英] Why is Access-Control-Expose-Headers needed?

问题描述

我一直在寻找添加它的具体安全原因.当我实现 cors 并且可以看到所有标题被返回但我无法通过 javascript 访问它们时，这是一个 WTH 时刻.

I was looking for the specific security reasons as to why this was added. It was kind of a WTH moment when I was implementing cors and could see all the headers being returned but I couldn't access them via javascript..

推荐答案

CORS 的实现方式不会破坏在 CORS 之前的、仅同源世界中所做的假设.

CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world.

在 CORS 之前的世界中，客户端可以触发跨域请求(例如，通过脚本标签)，但它无法读取响应标头.

In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers.

为了确保 CORS 不会破坏这个假设，CORS 规范要求服务器为客户端提供读取这些标头的显式权限(通过 Access-Control-Expose-Headers标题).这样一来，未经授权的 CORS 请求就可以像在 CORS 之前的世界中一样.

In order to ensure that CORS doesn't break this assumption, the CORS spec requires the server to give explicit permissions for the client to read those headers (via the Access-Control-Expose-Headers header). This way, unauthorized CORS requests behave as they did in a pre-CORS world.

这篇关于为什么需要访问控制公开标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！