CORS是要解决什么问题？ [英] What is the issue CORS is coming to solve?

问题描述

我一直在阅读 CORS 以及它是如何工作的，但我发现很多事情让人困惑。例如，有许多有关

I've been reading up on CORS and how it works, but I'm finding a lot of things confusing. For example, there are lots of details about things like

用户 Joe 浏览器 BrowserX 从 site.com ，
获取数据，然后发送请求到 spot.com 。为了允许这种情况， spot 有
特殊标头... yada yada yada

User Joe is using browser BrowserX to get data from site.com, which in turn sends a request to spot.com. To allow this, spot has special headers... yada yada yada

没有太多背景，我不明白为什么网站不会让某些地方的请求。我的意思是，他们存在为服务对请求的反应，不是吗？为什么不允许某些人的请求不允许？

Without much background, I don't understand why websites wouldn't let requests from some places. I mean, they exist to serve responses to requests, don't they? Why would certain people's of requests not be allowed?

它会真正感谢一个很好的解释（或一个链接）的问题， CORS

It would really appreciate a nice explanation (or a link to one) of the problem that CORS is made to solve.

所以问题是，

CORS 正在解决什么问题？

What is the problem CORS is solving?

推荐答案

通过JavaScript（AKA AJAX）发起网页请求的网络浏览器的默认行为是，它们遵循 same-起源政策 。这意味着请求只能通过AJAX到同一个域（或子域）。

The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail.

存在此限制，因为您的浏览器在其他网域发出的请求会包含您的 Cookie 意味着您将登录到其他网站。因此，没有同源，任何网站都可以托管在stackoverflow.com上调用logout的JavaScript，它会注销您。现在想象一下当我们谈论社交网络，银行网站等时的复杂性。

This restriction exists because requests made at other domains by your browser would carry along your cookies which often means you'd be logged in to the other site. So, without same-origin, any site could host JavaScript that called logout on stackoverflow.com for example, and it would log you out. Now imagine the complications when we talk about social networks, banking sites, etc.

因此，所有浏览器都只是将基于脚本的网络调用限制在自己的域中，和安全。

So, all browsers simply restrict script-based network calls to their own domain to make it simple and safe.

www.x.com上的网站X无法向www.y.com发出AJAX请求， .x.com

Site X at www.x.com cannot make AJAX requests to site Y at www.y.com, only to *.x.com

有一些已知的解决方法（例如JSONP，不包括请求中的Cookie） ，但这些不是永久的解决方案。

There are some known work-arounds in place (such as JSONP which doesn't include cookies in the request), but these are not a permanent solution.

CORS 允许这些跨网域请求发生，但只有在各方选择启用CORS支持时。

CORS allows these cross-domain requests to happen, but only when each side opts into CORS support.

这篇关于CORS是要解决什么问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！