CORS试图解决的问题是什么？ [英] What is the issue CORS is trying to solve?

问题描述

我一直在阅读 CORS 及其工作原理，但发现很多令人困惑的地方。例如，关于

I've been reading up on CORS and how it works, but I'm finding a lot of things confusing. For example, there are lots of details about things like

用户 Joe 正在使用的东西，有很多详细信息浏览器 BrowserX 从 site.com ，
获取数据，后者又向<$ c发送请求$ c> spot.com 。为此， spot 具有
特殊标题... yada yada yada

User Joe is using browser BrowserX to get data from site.com, which in turn sends a request to spot.com. To allow this, spot has special headers... yada yada yada

没有足够的背景知识，我不明白为什么网站不允许某些地方的请求。我的意思是，它们存在是为了响应请求，不是吗？为什么不允许某些人的请求？

Without much background, I don't understand why websites wouldn't let requests from some places. I mean, they exist to serve responses to requests, don't they? Why would certain people's of requests not be allowed?

对于 CORS问题的很好的解释（或指向其中一个链接），我将不胜感激。

It would really appreciate a nice explanation (or a link to one) of the problem that CORS is made to solve.

所以问题是，

CORS 正在解决什么问题？

What is the problem CORS is solving?

推荐答案

通过JavaScript（AKA AJAX）从页面发起请求的网络浏览器的默认行为是，它们遵循 same-来源政策 。这意味着只能通过AJAX向同一域（或子域）发出请求。到另一个完全不同的域的请求将失败。

The default behavior of web browsers that initiate requests from a page via JavaScript (AKA AJAX) is that they follow the same-origin policy. This means that requests can only be made via AJAX to the same domain (or sub domain). Requests to an entirely different domain will fail.

之所以存在此限制，是因为您的浏览器在其他域上发出的请求会携带您的 cookies 表示您将登录到其他站点。因此，如果没有同源来源，任何站点都可以托管JavaScript，例如，该脚本在stackoverflow.com上调用了logout，它将注销您。现在想象一下当我们谈论社交网络，银行站点等时的复杂性。

This restriction exists because requests made at other domains by your browser would carry along your cookies which often means you'd be logged in to the other site. So, without same-origin, any site could host JavaScript that called logout on stackoverflow.com for example, and it would log you out. Now imagine the complications when we talk about social networks, banking sites, etc.

因此，所有浏览器都只是将基于脚本的网络调用限制在其自己的域内，以使其变得简单和安全。

So, all browsers simply restrict script-based network calls to their own domain to make it simple and safe.

www.x.com上的站点X不能向www.y.com上的站点Y发出AJAX请求，而只能向* .x.com

Site X at www.x.com cannot make AJAX requests to site Y at www.y.com, only to *.x.com

有一些已知的解决方法（例如JSONP，请求中不包含cookie） ，但这不是永久性的解决方案。

There are some known work-arounds in place (such as JSONP which doesn't include cookies in the request), but these are not a permanent solution.

CORS 允许这些跨域请求发生，但仅当双方选择加入CORS支持时。

CORS allows these cross-domain requests to happen, but only when each side opts into CORS support.

这篇关于CORS试图解决的问题是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！