为什么需要Access-Control-Expose-Headers？ [英] Why is Access-Control-Expose-Headers needed?

问题描述

我在寻找有关为什么添加的具体安全原因。这是一个WTH时刻，当我正在实现cors，可以看到所有的标题返回，但我不能通过javascript ...访问他们。

I was looking for the specific security reasons as to why this was added. It was kind of a WTH moment when I was implementing cors and could see all the headers being returned but I couldn't access them via javascript..

推荐答案

CORS的实现方式不会破坏在前CORS，仅同源世界中做出的假设。

CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world.

前CORS世界中，客户端可能触发跨源请求（例如，通过脚本标记），但是无法读取响应头。

In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers.

顺序为了确保CORS不打破这个假设，CORS规范要求服务器给客户端显式权限读取这些头（通过 Access-Control-Expose-Headers header）。这样，未授权的CORS请求就像在CORS前世界中一样。

In order to ensure that CORS doesn't break this assumption, the CORS spec requires the server to give explicit permissions for the client to read those headers (via the Access-Control-Expose-Headers header). This way, unauthorized CORS requests behave as they did in a pre-CORS world.

这篇关于为什么需要Access-Control-Expose-Headers？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！