只是丢弃跨域XHR的Cookie不是更简单吗? [英] Wouldn't have been simpler to just discard cookies for cross-domain XHR?
问题描述
在为网络开发时,我会继续与奇怪的限制作斗争。其中之一是AJAX请求的同源限制,我问自己如果,而不是阻止请求跨域资源不会更简单,只是丢弃cookie时,它们(避免滥用认证证书的浏览器会话)。
Cookie是一种工具,但并不是必需的(例如,如果您需要保留上下文,则可以在请求网址中生成包含Cookie的网页)跨域阻止是很讨厌的绕过。
从逻辑上看,在阻塞特定主题访问资源时,还有一些奇怪的事情
我想知道是否有一些真正的技术原因,同一源策略是真正的最好的解决方案。 / p>
请注意,我只是出于好奇...我完全知道,在网络时代可怕的解决方案可以在标准结晶,
您假设这是一个很好的例子,所有的认证凭证都是基于cookie的,这是不正确的。浏览器可能使用PKI证书向另一个站点进行身份验证,或者站点可能信任客户端,因为它在受信任的网络上具有某个IP地址。
但是,在标准化网站允许跨源请求到其资源的方式。如果网站知道其中的某些内容是公开的,并且没有客户端有特殊权限,则可以设置HTTP标头,以告诉浏览器从其他网站加载的脚本允许查看该内容。
从逻辑的角度来看,在阻止特定主题访问资源方面,从整个世界上所有其他人都可以在没有身份验证的情况下访问的资源非常奇怪。
浏览器不知道整个世界都可以在没有身份验证的情况下访问资源。它不知道在访问给定的URL时是否看到与其他客户端相同的内容。阻止的是访问其自己的,可能是唯一的,查看远程资源的 。
I keep fighting with strange limitations when developing for the web. One of them is the same-origin limitation for AJAX requests and I'm asking myself if instead of blocking requests to cross-domain resources wouldn't have been simpler to just discard cookies when making them (to avoid misuse of authentication credentials of the browser session).
Cookies are a facility but quite not essential (for example you can generate pages with cookies in the request URLs if you need to keep context), while instead cross-domain blocking is quite annoying to circumvent.
There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.
I'm wondering if there's some real technical reason for which same origin policy is really the best solution.
Note that I'm asking just out of curiosity... I'm perfectly aware that in the web age horrible solutions can get crystallized in standards before experience is given the possibility to show if they are good or bad (quite a big part of Javascript, for example).
You're assuming that all authentication credentials are cookie-based, which isn't true. The browser might authenticate to another site using PKI certificates, or the site might trust the client just because it has a certain IP address on a trusted network. That's not something the client can just turn off for an individual request.
However, there's work being done on standardizing a way for sites to allow cross-origin requests to their resources. If a site knows that some of its content is public and no clients have special privileges, it can set an HTTP header to tell browsers that scripts loaded from other sites are allowed to see that content.
There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.
The browser doesn't know that the whole world can access the resource without authentication. It doesn't know whether it sees the same content as other clients when accessing a given URL. What it's blocking is access to its own, potentially unique, view of the remote resource.
这篇关于只是丢弃跨域XHR的Cookie不是更简单吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
