CORS允许来源限制不会导致服务器拒绝请求(仍然可以在浏览器中访问该站点) [英] CORS allowed-origin restrictions aren’t causing the server to reject requests (can still access the site in browser)
问题描述
我正在使用Spring Boot v1.5.1,似乎我对CORS源的限制无效。
I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.
我的application.properties文件有以下行(< a href =https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html\"rel =nofollow noreferrer> ref1 ref2 )。
My application.properties file has the following line (ref1 ref2).
endpoints.cors.allowed-origins=http://mydomain.io
我的REST控制器如下所示。
My REST controller looks like the following.
@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
@Autowired
private CarService carService;
@GetMapping
public Car get() {
return carService.getLatest();
}
}
然而,当我打开浏览器并输入时 http:// localhost:8080 / api / car
我仍然可以访问REST端点。
However, when I open up a browser and type in http://localhost:8080/api/car
I am still able to access the REST endpoint.
I还尝试按如下方式更改我的注释,但这不起作用。
I also tried to change my annotation as follows, but that does not work.
@CrossOrigin("${endpoints.cors.allowed-origins}")
关于我做错的任何想法?
Any ideas on what I'm doing wrong?
请注意,我没有像这样使用 WebMvcConfigurerAdapter
帖子。我是否真的需要扩展此类以明确控制原点?我认为除了属性文件设置之外, @CrossOrigin
注释将能够控制允许的来源(而不是必须以编程方式执行)。
Note that I am not using WebMvcConfigurerAdapter
like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin
annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).
推荐答案
然而,当我打开浏览器并输入 http:// localhost:8080 / api / car 我仍然可以访问REST端点。
However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
CORS allowed-origins设置不会阻止您直接在浏览器中打开URL。
CORS allowed-origins settings won’t prevent you from opening the URL directly in a browser.
仅限浏览器对使用XHR或Fetch或jQuery $。ajax(...)
的网络应用程序中运行的JavaScript代码施加CORS限制。或者其他任何可以进行跨源请求。
Browsers only impose CORS restrictions on JavaScript code running in web apps that use XHR or Fetch or jQuery $.ajax(…)
or whatever to make cross-origin requests.
因此CORS不是一种阻止用户直接导航到URL的方法,也不是一种阻止像 curl这样的非webapp客户端的方法
或邮递员或访问网址的任何内容。
So CORS isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent non-webapp clients like curl
or Postman or whatever from accessing the URL.
这篇关于CORS允许来源限制不会导致服务器拒绝请求(仍然可以在浏览器中访问该站点)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!