使用CORS,为什么服务器要声明哪些客户端可以信任它,而不是由客户端声明他们信任的服务器? [英] With CORS, why do servers declare which clients may trust it, instead of clients declaring what servers they trust?
问题描述
关于跨原始资源共享(CORS)的一些事情我从来没有真正了解过可以理解的是,对于跨域HTTP请求,不是客户端决定要信任哪个服务器.相反,服务器声明(在Access-Control-Allow-Origin响应标头中)一个或多个特定客户端(来源)信任它.如果服务器说客户端信任服务器,那么启用了CORS的浏览器只会将服务器的响应传递给应用程序.这似乎是在两个HTTP各方之间建立信任关系的一种相反方法.
There is something about Cross Origin Resource Sharing (CORS) that I have never truly understood, namely that with a cross-origin HTTP request, it is not the client that gets to decide which server(s) it wants to trust; instead, the server declares (in the Access-Control-Allow-Origin response header) that one or more particular clients (origins) trust it. A CORS-enabled browser will only deliver the server's response to the application if the server says that the client trusts the server. This seems like a reverse way of establishing a trust relationship between two HTTP parties.
对我来说更有意义的是一种类似于以下内容的机制:客户端声明其信任的来源列表;例如,通过<head>中的某个虚构的<meta allow-cross-origin="https://another-site:1234"/>元素. (当然,浏览器必须确保这些元素是只读的,并且不能通过脚本进行删除,修改或扩充.)
What would make more sense to me is a mechanism similar to the following: The client declares a list of origins that it trusts; for example, via some fictional <meta allow-cross-origin="https://another-site:1234"/> element in the <head>. (Of course a browser would have to ensure that these elements are read-only and cannot be removed, modified, or augmented via scripts.)
我对CORS有什么误解?为什么客户端对可信来源的声明无效?服务器为什么要确认哪些客户端(来源)可以信任其响应?谁实际上受到了CORS的保护?它保护服务器还是客户端?
What am I misunderstanding about CORS? Why would a client-side declaration of trusted origins not work? Why is it that the servers get to confirm which clients (origins) may trust its responses? Who is actually protected from whom by CORS? Does it protect the server, or the client?
(这些问题很多.我希望很明显,我不希望对每个问题都有答案,而只是一个指出我的基本误会的答案.)
(These are a lot of questions. I hope it's clear that I am not expecting an answer to each of these, but rather just an answer that points out my fundamental misunderstanding.)
推荐答案
客户端与此无关.使用CORS标头,您可以告诉客户端我信任哪些其他服务器.然后那些人可以共享您的资源,客户不会介意.
Client has nothing to do with it. With a CORS header you're telling the client which other servers do I trust. Those then can share your resources and client wont mind.
例如,如果您有两个域,您告诉客户,让您的资源被您的第二个网站使用,您就不会说我信任您作为客户.
For example if you have two domains you tell the client so let your resources be used by your second website, you dont say i trust you as a client.
因此,您是在保护服务器,而不是客户端.您不希望托管在世界任何地方的脚本都可以访问AJAX API端点.
So you're protecting the server, not client. You dont want AJAX API Endpoints to be accessible by scripts hosted anywhere in the world.
客户没有任何收获或损失.这是对服务器的唯一保护,因为使用AJAX可以使所有人清楚地看到所有URL,并且如果没有这种保护,任何人都可以使用您的API来运行其前端,只有服务器必须从中丢失,以便他们决定谁可以使用他们的资源.
A client has nothing to gain/lose from this. Its only a protection for servers because using AJAX all the URLs are clearly visible to anyone and had it been not for this protection, anybody could go ahead run their front end using your API, only servers have to lose from this so they get to decide who can use their resources.
这篇关于使用CORS,为什么服务器要声明哪些客户端可以信任它,而不是由客户端声明他们信任的服务器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
