哪个服务器需要返回Access-Control-Allow-Origin标头？ [英] Which server needs to return Access-Control-Allow-Origin header?

问题描述

假设我有一个HTML页面，该页面由example.com提供。它向targetServer.com发出javascript ajax请求

Let's say I have an HTML page, served up from example.com. It makes an javascript ajax request to targetServer.com

哪个服务器需要返回Access-Control-Allow-Origin =（something）？

Which server needs to return a Access-Control-Allow-Origin="(something)"?

是targetServer还是提供原始HTML页面的服务器（即example.com）？

Is it the targetServer or the server that served up the original HTML page (i.e. example.com)?

[我知道这一点也许是显而易见的，但是Web上的文档似乎暗示targetServer必须发送 example.com的allow-origin标头，但是，如果这是一项安全功能，那就不是恶意的targetServer .com始终提供合适的allow-origin标头？在这种情况下，example.com除了会为example.com提供浏览器之外，还可以向浏览器提供允许访问的服务器列表]

[I know this probably is obvious, but the docs on the web seem to imply the targetServer has to send and allow-origin header of "example.com" But if this is a security feature, wouldn't a malicious targetServer.com always serve up a suitable allow-origin header? It sort of makes sense that example.com would give the browser a list of server it is allow to call in addition to example.com]

推荐答案

目标服务器需要设置 Access-Control-Allow-Origin 标头。

The target server needs to set the Access-Control-Allow-Origin header.

CORS旨在保护服务器免受意外的跨域请求。在CORS存在之前的世界中，服务器受到浏览器的相同来源策略的保护，免受跨域请求/ a>。如果自动将CORS允许给所有服务器，则该同源合同将中断，并且服务器将收到意外请求。为了防止这种情况，CORS规范作者将服务器指定为允许哪种类型的跨域请求。

CORS is meant to protect a server from unexpected cross-origin requests. In a world before CORS existed, servers were protected from cross-origin requests by the browser's same-origin policy. If CORS were automatically allowed to all servers, this same-origin contract would break, and servers would being receiving unexpected requests. In order to prevent this, the CORS spec authors put the servers in charge of dictating what types of cross-origin requests are allowed.

服务器不仅可以使用 Access-Control-Allow-Origin 标头来执行此操作，还可以使用访问控制允许凭据，访问控制允许方法，访问控制-Allow-Headers 和 Access-Control-Expose-Headers 标头。这些不同的标头使服务器可以更精细地控制其CORS行为的配置。

Servers can do this not only with the Access-Control-Allow-Origin header, but also with the Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers and Access-Control-Expose-Headers headers. These various headers gives the server fine-grained control over configuring their CORS behavior.

因此，在您的示例中，恶意服务器可以设置这些标头，但标头不会自己做任何事情。客户端需要做出明智的决定才能向恶意服务器发送请求。实际上，客户端本身就需要是恶意的。

So in your example, a malicious server could set those headers, but the headers wouldn't do anything on their own. A client would need to make a conscious decision in order to send a request to the malicious server. In effect, the client itself would need to be malicious.

这篇关于哪个服务器需要返回Access-Control-Allow-Origin标头？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！