为什么音频文件（MP3）被CORS阻止？有什么安全隐患？ [英] Why are audio files (MP3) blocked by CORS? What's the security risk?

问题描述

为什么我需要将MP3文件的Access-Control-Allow-Origin设置为 * ，以便其他域的网站可以加载该文件？

Why do I need to set Access-Control-Allow-Origin to * for an MP3 file so that it can be loaded by websites of other domains? What's the security risk with this?

或者这仅仅是为了防止他人展示您未授权他们使用的内容（假设浏览器支持CORS）？

Or is it just to prevent other's from display content that you didn't authorize them to (assuming browsers support CORS)?

推荐答案

大多数视频播放器都是使用 script 标签中的JS初始化的，并且可以提取视频通过 XMLHttpRequest 。

Most video players are initialized using JS in script tags, and video is fetch through a XMLHttpRequest.

根据文档：

出于安全原因，浏览器会限制从脚本内部发起的跨域HTTP请求。例如，XMLHttpRequest和Fetch API遵循同源策略。这意味着使用这些API的Web应用程序只能从加载该应用程序的域中请求HTTP资源，除非使用了CORS标头。

For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request HTTP resources from the same domain the application was loaded from unless CORS headers are used.

因此，为了安全起见并防止数据泄露，需要使用CORS标头。

So for security and to prevent data breach, CORS headers are required.

这篇关于为什么音频文件（MP3）被CORS阻止？有什么安全隐患？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！