Access-Control-Allow-Credentials 标头到底有什么作用? [英] What exactly does the Access-Control-Allow-Credentials header do?

问题描述

我正在尝试了解如何使用 CORS，但对 Access-Control-Allow-Credentials 标头的作用感到困惑.

I'm trying to understand how to use CORS and am confused about what the Access-Control-Allow-Credentials header does.

文档说

表示是否可以暴露对请求的响应当凭证标志为真时.

Indicates whether or not the response to the request can be exposed when the credentials flag is true.

但我不明白暴露"的响应是什么意思.

But I don't understand what the response being "exposed" means.

谁能解释这个标头设置为真(连同凭据标志设置为真)实际上做了什么?

Can anyone explain what this header being set to true (in conjunction with the credentials flag being set to true) actually does?

推荐答案

默认情况下，CORS 不包含跨域请求的 cookie.这与 JSON-P 等其他跨域技术不同.JSON-P 总是在请求中包含 cookie，这种行为可能导致一类漏洞，称为 cross-站点请求伪造或CSRF.

By default, CORS does not include cookies on cross-origin requests. This is different from other cross-origin techniques such as JSON-P. JSON-P always includes cookies with the request, and this behavior can lead to a class of vulnerabilities called cross-site request forgery, or CSRF.

为了减少 CORS 中出现 CSRF 漏洞的机会，CORS 要求服务器和客户端都确认可以在请求中包含 cookie.这样做会使 cookie 成为一个积极的决定，而不是在没有任何控制的情况下被动发生的事情.

In order to reduce the chance of CSRF vulnerabilities in CORS, CORS requires both the server and the client to acknowledge that it is ok to include cookies on requests. Doing this makes cookies an active decision, rather than something that happens passively without any control.

客户端代码必须将 XMLHttpRequest 上的 withCredentials 属性设置为 true 以授予权限.

The client code must set the withCredentials property on the XMLHttpRequest to true in order to give permission.

但是，仅此标头是不够的.服务器必须以 Access-Control-Allow-Credentials 标头响应.使用此标头响应 true 意味着服务器允许将 cookie(或其他用户凭据)包含在跨域请求中.

However, this header alone is not enough. The server must respond with the Access-Control-Allow-Credentials header. Responding with this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.

您还需要确保 如果您希望跨域凭据请求正常工作，您的浏览器不会阻止第三方 cookie.

请注意，无论您是发出同源请求还是跨源请求，您都需要保护您的网站免受 CSRF 的影响(尤其是当您的请求包含 cookie 时).

Note that regardless of whether you are making same-origin or cross-origin requests, you need to protect your site from CSRF (especially if your request includes cookies).

这篇关于Access-Control-Allow-Credentials 标头到底有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！