Google云端硬盘webContentLink在文件公开时不支持CORS [英] Google Drive webContentLink does not support CORS when file is public
问题描述
webContentLink 应该是指向由fileResource表示的文件的直接链接。
让我们先忽略链接将会总是用指向生成的 downloadUrl (其具有非常有限的生命时间)的302来进行响应。
The webContentLink is supposed to be a direct link to the file represented by the fileResource.
Let's first ignore the fact that the link will infact always respond with a 302 pointing to a generated downloadUrl (which has a very finite life-time).
我理解 webContentLink 指向的资源使用基于Cookie的身份验证和CORS会带来安全风险,然而,文档明确说明,当有问题的文件是公共的(显然),不需要认证。
所以,对于文件是公开的情况下,我不明白为什么CORS不支持。
I understand that the resource pointed to by webContentLink uses cookie-based authentication and CORS would pose a security risk, however the documentation explicitly states that no authentication is needed when the file in question is public (obviously).
So for the case where the file is publicly available I do not understand why CORS is not supported.
有没有一些与此相关的安全风险,我无法实现? Bug?在使用或不使用 Access-Control-Allow-Origin 进行响应之前,检查文件的权限是否被视为太多工作。
Is there some security risk associated with this that I fail to realise? Bug? Was it deemed too much work to check the permissions on the file before responding with or without the Access-Control-Allow-Origin.
在旁注中,使用服务器端代理来获取302位置指向的 downloadUrl 一个支持CORS的资源。
On a side note, using a server-side proxy to fetch the downloadUrl pointed to by the 302 location produces a resource that does support CORS.
推荐答案
不是问题提出的问题的解决方案,特性我能够在不使用服务器端代理的情况下解决webContentLink的限制。
https:// googledrive。 com / host / shared_folder_id / relative_path
该链接将是文件的直接链接,并且资源支持CORS。但是这有一个限制,文件的名称必须在其自己的文件夹中是唯一的,否则它不工作。
That link will be a direct link to the file and the resource supports CORS. However this has the limitation that the file's name has to be unique inside its own folder, otherwise it does not work.
这篇关于Google云端硬盘webContentLink在文件公开时不支持CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
