CORS允许的来源限制不会导致服务器拒绝请求 [英] CORS allowed-origin restrictions aren’t causing the server to reject requests

问题描述

我正在使用Spring Boot v1.5.1，似乎我对CORS的限制无效.

I am using Spring Boot v1.5.1, and it seems my restriction on CORS origin is not working.

我的application.properties文件具有以下行( ref1

My application.properties file has the following line (ref1 ref2).

endpoints.cors.allowed-origins=http://mydomain.io

我的REST控制器如下所示.

My REST controller looks like the following.

@RestController
@CrossOrigin
@RequestMapping("/api/car")
public class CarCtrl {
  @Autowired
  private CarService carService;

  @GetMapping
  public Car get() {
    return carService.getLatest();
  }
}

但是，当我打开浏览器并键入http://localhost:8080/api/car时，我仍然可以访问REST端点.

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

我还尝试了如下更改注解，但这不起作用.

I also tried to change my annotation as follows, but that does not work.

@CrossOrigin("${endpoints.cors.allowed-origins}")

关于我在做什么错的任何想法吗?

Any ideas on what I'm doing wrong?

请注意，我没有使用WebMvcConfigurerAdapter这样的帖子.我是否真的需要扩展此类以显式控制来源?我发现，除了属性文件设置之外，@CrossOrigin批注还可以控制允许的原点(与必须通过编程方式进行控制相反).

Note that I am not using WebMvcConfigurerAdapter like this post. Do I really need to extends this class to explicitly control origin? I figured that the @CrossOrigin annotation in addition to the properties file setting would be able to control the allowed origins (as opposed to having to do so programmatically).

推荐答案

但是，当我打开浏览器并输入 http://localhost:8080/api/car 我仍然可以访问REST端点.

However, when I open up a browser and type in http://localhost:8080/api/car I am still able to access the REST endpoint.

CORS允许的来源设置不会阻止您直接在浏览器中打开URL.

CORS allowed-origins settings won’t prevent you from opening the URL directly in a browser.

同源策略是对跨域的限制，同源策略仅适用于在Web浏览器中运行的Web应用程序，并使用XHR或Fetch或jQuery $.ajax(…)或其他可以进行跨域访问的应用程序原始请求.

The same-origin policy is what imposes cross-origin restrictions, and the same-origin policy is only applied to web applications running in a web browser, and using XHR or Fetch or jQuery $.ajax(…) or whatever to make cross-origin requests.

因此，CORS并不是阻止用户直接导航到URL的方法，也不是阻止curl或Postman之类的非webapp客户端访问URL的方法.

So CORS isn’t a way to prevent users from being able to directly navigate to a URL, and isn’t a way to prevent non-webapp clients like curl or Postman or whatever from accessing the URL.

这篇关于CORS允许的来源限制不会导致服务器拒绝请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！