CORS - 什么是背后引入preflight请求的动机是什么? [英] CORS - What is the motivation behind introducing preflight requests?
问题描述
跨域资源共享的是一种机制,允许网页制作XMLHtt prequests到另一个域(的维基百科),这是pretty的重要的(离开我。)
Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from wikipedia), and it's pretty important (from me :).
我一直在摆弄CORS的最后几天,我想我有一个如何一切正常,一个pretty的很好的理解。
I've been fiddling with CORS for the last couple of days and I think I have a pretty good understanding of how everything works.
所以我的问题是不是关于如何CORS / preflight的工作,它是关于后面来了preflights作为一个新的请求类型的理由。我看不出有任何理由服务器A需要发送一个preflight(PR),以B服务器只是为了看看真正的请求(RR)将被接受与否 - 它肯定将有可能对B接受/拒绝RR没有任何事先的公关。
So my question is not about how CORS / preflight work, it's about the reason behind coming up with preflights as a new request type. I fail to see any reason why server A needs to send a preflight (PR) to server B just to find out if the real request (RR) will be accepted or not - it would certainly be possible for B to accept/reject RR without any prior PR.
搜索颇有几分后,我发现这块信息www.w3 .ORG(7.1.5):
After searching quite a bit I found this piece of information at www.w3.org (7.1.5):
为了防止交叉原点请求资源无法从某些用户代理发起本说明书存在一个preflight请求时,以确保该资源是意识到本说明书的前的
我发现这是最难搞明白的句子。我的跨pretation(应更好地称之为最好的猜测)是,它是关于保护B服务器免受服务器C,它是不知道规范的要求。
I find this is the hardest to understand sentence ever. My interpretation (should better call it 'best guess') is that it's about protecting server B against requests from server C that is not aware of the spec.
有人可以解释的场景/显示,PR + RR解决比单独RR更好的问题?
Can someone please explain a scenario / show a problem that PR + RR solves better than RR alone?
推荐答案
我花了一些时间被混淆为preflight请求的目的,但我想我已经知道了吧。
I spent some time being confused as to the purpose of the preflight request but I think I've got it now.
关键的观点是,preflight请求不是一个安全的事情。相反,他们是一个不会改变的非规则的事情。
The key insight is that preflight requests are not a security thing. Rather, they're a not-changing-the-rules thing.
preflight请求无关安全,并且它们对应用程序没有任何影响,正在现在发达,具有CORS的意识。相反,preflight机制,好处是开发出的服务器,而无需的CORS的意识,并将其作为客户端,他们都是CORS感知服务器之间的完整性检查。 CORS的开发商认为,有足够的服务器,在那里,是依赖于假设,他们将永远不会接受,如跨域删除他们发明了preflight机制,让双方选择加入请求。他们认为,替代,这将是简单地实现跨域调用,将打破太多现有的应用程序。
Preflight requests have nothing to do with security, and they have no bearing on applications that are being developed now, with an awareness of CORS. Rather, the preflight mechanism benefits servers that were developed without an awareness of CORS, and it functions as a sanity check between the client and the server that they are both CORS-aware. The developers of CORS felt that there were enough servers out there that were relying on the assumption that they would never receive, e.g. a cross-domain DELETE request that they invented the preflight mechanism to allow both sides to opt-in. They felt that the alternative, which would have been to simply enable the cross-domain calls, would have broken too many existing applications.
有三种情形的位置:
-
旧服务器,不再处于开发阶段,CORS之前开发的。这些服务器可能会做出假设,他们将永远不会得到如跨域DELETE请求。 这种情况下是preflight机制的主要受益者。是这些服务可能已经被恶意或不符合要求的用户代理被滥用(和CORS无助于改变这一点),但在世界CORS的preflight机制提供了一个额外的合理性检查,使客户端和服务器不破,因为网络的基本规则已经改变了。
Old servers, no longer under development, and developed before CORS. These servers may make assumptions that they'll never receive e.g. a cross-domain DELETE request. This scenario is the primary beneficiary of the preflight mechanism. Yes these services could already be abused by a malicious or non-conforming user agent (and CORS does nothing to change this), but in a world with CORS the preflight mechanism provides an extra 'sanity check' so that clients and servers don't break because the underlying rules of the web have changed.
服务器仍处于开发阶段,但它含有大量的老code,而它的不可行/希望审核所有的旧code,以确保它正常工作在跨-domain的世界。此方案允许服务器逐渐选择在对CORS,例如:说现在我会给予这个特殊的头,现在,我将让这个特殊的HTTP动词,现在,我将允许Cookie / AUTH信息发送等的此方案从好处preflight机制。
Servers that are still under development, but which contain a lot of old code and for which it's not feasible/desirable to audit all the old code to make sure it works properly in a cross-domain world. This scenario allows servers to progressively opt-in to CORS, e.g. by saying "Now I'll allow this particular header", "Now I'll allow this particular HTTP verb", "Now I'll allow cookies/auth information to be sent", etc. This scenario benefits from the preflight mechanism.
这是写入CORS的认识新的服务器。根据标准的安全实践,服务器必须保护其资源,面对的任意的传入的请求 - 服务器不能信任的客户不会做恶意的事情。 这种情况不利于从preflight机制:在preflight机制带来任何额外的安全性已经适当保护其资源的服务器
New servers that are written with an awareness of CORS. According to standard security practices, the server has to protect its resources in the face of any incoming request -- servers can't trust clients to not do malicious things. This scenario doesn't benefit from the preflight mechanism: the preflight mechanism brings no additional security to a server that has properly protected its resources.
这篇关于CORS - 什么是背后引入preflight请求的动机是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
