Access-Control-Allow-Credentials头是什么？ [英] What exactly does the Access-Control-Allow-Credentials header do?

问题描述

我想了解如何使用CORS，并且对 Access-Control-Allow-Credentials 标头有什么疑问。

I'm trying to understand how to use CORS and am confused about what the Access-Control-Allow-Credentials header does.

文档说

指示当凭据标志为真时是否可以向请求的响应暴露
。

Indicates whether or not the response to the request can be exposed when the credentials flag is true.

但我不明白暴露的响应是什么意思。

But I don't understand what the response being "exposed" means.

任何人都可以解释这个标头设置为true （结合凭证标志设置为true）实际上是什么？

Can anyone explain what this header being set to true (in conjunction with the credentials flag being set to true) actually does?

推荐答案

默认情况下，CORS不包括-origin请求。这不同于其他跨源技术，如JSON-P。 JSON-P始终包含请求的Cookie，此行为可能会导致一类名为跨平台漏洞的漏洞，网站请求伪造或CSRF。

By default, CORS does not include cookies on cross-origin requests. This is different from other cross-origin techniques such as JSON-P. JSON-P always includes cookies with the request, and this behavior can lead to a class of vulnerabilities called cross-site request forgery, or CSRF.

为了减少CORS中CSRF漏洞的机会，CORS要求服务器和客户端确认是可以包括cookie的请求。

In order to reduce the chance of CSRF vulnerabilities in CORS, CORS requires both the server and the client to acknowledge that it is ok to include cookies on requests. Doing this makes cookies an active decision, rather than something that happens passively without any control.

服务器可以通过设置来授予包含cookie的权限， Access-Control-Allow-Credentials 头。将此响应标头设置为 true 表示服务器允许在跨源请求中包含Cookie（或其他用户凭证）。

The server can give permission to include cookies by setting the Access-Control-Allow-Credentials header. Setting this response header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.

但是，这个标题不足以将Cookie发送到服务器。客户端代码还必须将XMLHttpRequest上的 withCredentials 属性设置为 true 才能授予权限。

However, this header alone is not enough to send cookies to the server. The client code must also set the withCredentials property on the XMLHttpRequest to true in order to give permission.

您还需要确保如果您希望跨源凭证的请求正常工作，您的浏览器不会阻止第三方Cookie 。

请注意，无论您是使用同源或跨源请求，您都需要保护您的网站免受CSRF（特别是如果您的请求包含Cookie）。

Note that regardless of whether you are making same-origin or cross-origin requests, you need to protect your site from CSRF (especially if your request includes cookies).

这篇关于Access-Control-Allow-Credentials头是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！