CORS允许的来源限制不会导致服务器拒绝请求 [英] CORS allowed-origin restrictions aren’t causing the server to reject requests
问题描述
我正在使用Spring Boot v1.5.1,似乎我对CORS的限制无效.
I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.
我的application.properties文件具有以下行( ref1
My application.properties file has the following line (ref1 ref2).
endpoints.cors.allowed-origins=http://mydomain.io
我的REST控制器如下所示.
My REST controller looks like the following.
@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
@Autowired
private CarService carService;
@GetMapping
public Car get() {
return carService.getLatest();
}
}
但是,当我打开浏览器并键入http://localhost:8080/api/car
时,我仍然可以访问REST端点.
However, when I open up a browser and type in http://localhost:8080/api/car
I am still able to access the REST endpoint.
我还尝试了如下更改注解,但这不起作用.
I also tried to change my annotation as follows, but that does not work.
@CrossOrigin("${endpoints.cors.allowed-origins}")
关于我在做什么错的任何想法吗?
Any ideas on what I'm doing wrong?
请注意,我没有使用WebMvcConfigurerAdapter
这样的帖子.我是否真的需要扩展此类以显式控制来源?我发现,除了属性文件设置之外,@CrossOrigin
批注还可以控制允许的原点(与必须通过编程方式进行控制相反).
Note that I am not using WebMvcConfigurerAdapter
like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin
annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).
推荐答案
但是,当我打开浏览器并输入 http://localhost:8080/api/car 我仍然可以访问REST端点.
However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.
CORS允许的来源设置不会阻止您直接在浏览器中打开URL.
CORS allowed-origins settings won’t prevent you from opening the URL directly in a browser.
同源策略是对跨域的限制,同源策略仅适用于在Web浏览器中运行的Web应用程序,并使用XHR或Fetch或jQuery $.ajax(…)
或其他可以进行跨域访问的应用程序原始请求.
The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…)
or whatever to make cross-origin requests.
因此,CORS并不是阻止用户直接导航到URL的方法,也不是阻止curl
或Postman之类的非webapp客户端访问URL的方法.
So CORS isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent non-webapp clients like curl
or Postman or whatever from accessing the URL.
这篇关于CORS允许的来源限制不会导致服务器拒绝请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!