CORS是要解决什么问题? [英] What is the issue CORS is coming to solve?
问题描述
我一直在阅读 CORS
以及它是如何工作的,但我发现很多事情让人困惑。例如,有许多有关
I've been reading up on CORS
and how it works, but I'm finding a lot of things confusing. For example, there are lots of details about things like
用户
Joe
浏览器BrowserX
从site.com
,
获取数据,然后发送请求到spot.com
。为了允许这种情况,spot
有
特殊标头... yada yada yada
User
Joe
is using browserBrowserX
to get data fromsite.com
, which in turn sends a request tospot.com
. To allow this,spot
has special headers... yada yada yada
没有太多背景,我不明白为什么网站不会让某些地方的请求。我的意思是,他们存在为服务对请求的反应,不是吗?为什么不允许某些人的请求不允许?
Without much background, I don't understand why websites wouldn't let requests from some places. I mean, they exist to serve responses to requests, don't they? Why would certain people's of requests not be allowed?
它会真正感谢一个很好的解释(或一个链接)的问题, CORS
It would really appreciate a nice explanation (or a link to one) of the problem that CORS
is made to solve.
所以问题是,
CORS
正在解决什么问题?
What is the problem CORS
is solving?
推荐答案
通过JavaScript(AKA AJAX)发起网页请求的网络浏览器的默认行为是,它们遵循 same-起源政策 。这意味着请求只能通过AJAX到同一个域(或子域)。
The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail.
存在此限制,因为您的浏览器在其他网域发出的请求会包含您的 Cookie 意味着您将登录到其他网站。因此,没有同源,任何网站都可以托管在stackoverflow.com上调用logout的JavaScript,它会注销您。现在想象一下当我们谈论社交网络,银行网站等时的复杂性。
This restriction exists because requests made at other domains by your browser would carry along your cookies which often means you'd be logged in to the other site. So, without same-origin, any site could host JavaScript that called logout on stackoverflow.com for example, and it would log you out. Now imagine the complications when we talk about social networks, banking sites, etc.
因此,所有浏览器都只是将基于脚本的网络调用限制在自己的域中,和安全。
So, all browsers simply restrict script-based network calls to their own domain to make it simple and safe.
www.x.com上的网站X无法向www.y.com发出AJAX请求, .x.com
Site X at www.x.com cannot make AJAX requests to site Y at www.y.com, only to *.x.com
有一些已知的解决方法(例如JSONP,不包括请求中的Cookie) ,但这些不是永久的解决方案。
There are some known work-arounds in place (such as JSONP which doesn't include cookies in the request), but these are not a permanent solution.
CORS 允许这些跨网域请求发生,但只有在各方选择启用CORS支持时。
CORS allows these cross-domain requests to happen, but only when each side opts into CORS support.
这篇关于CORS是要解决什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!