为什么默认情况下禁用CORS? [英] Why is CORS Disabled by Default?
问题描述
首先,我绝对知道我们对此有很多答案,并且有很多关于该主题的文章.在输入以下内容之前,我只是读了这些答案一秒钟:
Alright, first of all, I am absolutely aware that we have a bunch of answers on this and there is a plethora of articles on the topic. I just read these answers a second before typing this:
为什么禁止没有凭据的CORS?.
CORS是否被视为不良做法?
等等.我的特殊情况是-我只是为我的练习项目设置了WebAPI2,其前端通过gulp浏览器同步运行.我不知道如何选择这些端口,但是可以说Web API在端口 http://localhost:1234/<上运行/a>,然后浏览器同步会在 http://localhost:4321/上生成网站.因此,我通过angular的$ http到达了API,并得到了著名的CORS错误(API控制器方法的确得到了命中),所以我猜想这是不允许返回的API.我通过通过NuGet
Etc. My particular situation is this - I just set up WebAPI2 for my practice project, the front end for which is running via gulp browser-sync. I have no idea how these ports get picked, but lets say the Web API is running on port http://localhost:1234/ and browser-sync generates the website on http://localhost:4321/. So I hit the API via angular's $http and get the famous CORS error (API controller method does get hit), so I am guessing it's the API returning not allowed. I fixed this via installing a CORS for Web API package via NuGet (Article Here) before asking this Q, just referencing for anyone who might need it later.
因此,我在想,如果部署了此请求,除非我丢失了任何内容,否则任何请求都将被拒绝.还是会因为我不了解的东西而被拒绝?禁止CORS只是MVC时代的倒退吗?还是API有一些目的?
So, I was thinking, if I deployed this, ANY request would get denied, unless I am missing something. Or would it not be denied because of something I don't understand? Is disallowing CORS just a throwback from the MVC days? Or is there some purpose to it with APIs?
也许我只是在咆哮,但这使我感到困惑.
Maybe I am just ranting, but this confuses the **** out of me.
推荐答案
CORS基于从API返回的响应标头.并不是API拒绝响应请求,网络浏览器明确禁止处理响应. API将正常处理请求.
CORS is based on the response headers returned from the API. It is not the API that rejects responding to the request, the web browser explicitly disallows handling the response. The API will process the request as normal.
在处理GET以外的任何其他内容时,CORS还需要首先向API发送预检"请求,以确保允许后续请求. Web标头nuget包提供了这些,其中包括将标头发回.
When dealing with anything other than a GET, CORS also requires a "preflight" request to the API first, to ensure subsequent requests are allowed. This amongst sending the headers back is what the Web API nuget package provides.
出于安全考虑,默认情况下,CORS处于关闭状态.
CORS is off by default for security purposes.
这篇关于为什么默认情况下禁用CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
