CORS允许来源限制不会导致服务器拒绝请求（仍然可以在浏览器中访问该站点） [英] CORS allowed-origin restrictions aren’t causing the server to reject requests (can still access the site in browser)

问题描述

我正在使用Spring Boot v1.5.1，似乎我对CORS源的限制无效。

I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.

我的application.properties文件有以下行（< a href =https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html\"rel =nofollow noreferrer> ref1 ref2 ）。

My application.properties file has the following line (ref1 ref2).

endpoints.cors.allowed-origins=http://mydomain.io

我的REST控制器如下所示。

My REST controller looks like the following.

@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
  @Autowired
  private CarService carService;

  @GetMapping
  public Car get() {
    return carService.getLatest();
  }
}

然而，当我打开浏览器并输入时 http：// localhost：8080 / api / car 我仍然可以访问REST端点。

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

I还尝试按如下方式更改我的注释，但这不起作用。

I also tried to change my annotation as follows, but that does not work.

@CrossOrigin("${endpoints.cors.allowed-origins}")

关于我做错的任何想法？

Any ideas on what I'm doing wrong?

请注意，我没有像这样使用 WebMvcConfigurerAdapter 帖子。我是否真的需要扩展此类以明确控制原点？我认为除了属性文件设置之外， @CrossOrigin 注释将能够控制允许的来源（而不是必须以编程方式执行）。

Note that I am not using WebMvcConfigurerAdapter like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).

推荐答案

然而，当我打开浏览器并输入 http：// localhost：8080 / api / car 我仍然可以访问REST端点。

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

CORS allowed-origins设置不会阻止您直接在浏览器中打开URL。

CORS allowed-origins settings won’t prevent you from opening the URL directly in a browser.

仅限浏览器对使用XHR或Fetch或jQuery $。ajax（...）的网络应用程序中运行的JavaScript代码施加CORS限制。或者其他任何可以进行跨源请求。

Browsers only impose CORS restrictions on JavaScript code running in web apps that use XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.

因此CORS不是一种阻止用户直接导航到URL的方法，也不是一种阻止像 curl这样的非webapp客户端的方法或邮递员或访问网址的任何内容。

So CORS isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent non-webapp clients like curl or Postman or whatever from accessing the URL.

这篇关于CORS允许来源限制不会导致服务器拒绝请求（仍然可以在浏览器中访问该站点）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！