CORS 试图解决的问题是什么? [英] What is the issue CORS is trying to solve?

问题描述

我一直在阅读 CORS 及其工作原理，但我发现很多事情令人困惑.例如，有很多关于诸如

I've been reading up on CORS and how it works, but I'm finding a lot of things confusing. For example, there are lots of details about things like

用户 Joe 正在使用浏览器 BrowserX 从 site.com 获取数据，进而向 spot.com 发送请求.为了实现这一点，spot 具有特殊标题... yada yada yada

User Joe is using browser BrowserX to get data from site.com, which in turn sends a request to spot.com. To allow this, spot has special headers... yada yada yada

没有太多背景，我不明白为什么网站不会让来自某些地方的请求.我的意思是，它们的存在是为了响应请求，不是吗?为什么不允许某些人的请求?

Without much background, I don't understand why websites wouldn't let requests from some places. I mean, they exist to serve responses to requests, don't they? Why would certain people's of requests not be allowed?

非常感谢对 CORS 解决的问题的一个很好的解释(或链接).

It would really appreciate a nice explanation (or a link to one) of the problem that CORS is made to solve.

所以问题是，

CORS 正在解决什么问题?

What is the problem CORS is solving?

推荐答案

通过 JavaScript(AKA AJAX)从页面发起请求的 Web 浏览器的默认行为是遵循 同源政策.这意味着只能通过 AJAX 向同一域(或子域)发出请求.对完全不同的域的请求将失败.

The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail.

存在此限制是因为您的浏览器在其他域发出的请求会携带您的 cookies，这通常意味着您将登录到其他站点.因此，如果没有同源，任何站点 都可以托管 JavaScript，例如在 stackoverflow.com 上调用 logout，它会将您注销.现在想象一下我们谈论社交网络、银行网站等时的复杂情况.

This restriction exists because requests made at other domains by your browser would carry along your cookies which often means you'd be logged in to the other site. So, without same-origin, any site could host JavaScript that called logout on stackoverflow.com for example, and it would log you out. Now imagine the complications when we talk about social networks, banking sites, etc.

因此，所有浏览器都只是将基于脚本的网络调用限制在自己的域中，以使其简单且安全.

So, all browsers simply restrict script-based network calls to their own domain to make it simple and safe.

位于 www.x.com 的站点 X 无法向位于 www.y.com 的站点 Y 发出 AJAX 请求，只能向 *.x.com 发出 AJAX 请求

Site X at www.x.com cannot make AJAX requests to site Y at www.y.com, only to *.x.com

有一些已知的解决方法(例如 JSONP，它在请求中不包含 cookie)，但这些都不是永久的解决方案.

There are some known work-arounds in place (such as JSONP which doesn't include cookies in the request), but these are not a permanent solution.

CORS 允许这些跨域请求发生，但前提是每个一方选择加入 CORS 支持.

CORS allows these cross-domain requests to happen, but only when each side opts into CORS support.

这篇关于CORS 试图解决的问题是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！