了解CORS [英] Understanding CORS

问题描述

我已经在网上查找CORS了，我想确认我是否做了，下面提到的是一个完全虚构的情景。

我将举一个正常网站的例子。说我的html页面有一个表单，它接受一个文本字段名称。提交时，它将表单数据发送到 myPage.php 。现在，内部发生的是，服务器将请求发送到 www.mydomain.com/mydirectory/myPage.php 以及文本字段。现在，服务器发现请求是从同一个域/端口/协议发出的

（ 问题1.服务器如何知道所有这些细节。它从哪里提取所有这些细节？）

尽管如此，由于请求来自同一个域， php脚本并返回所需的任何东西。

现在，为了参数，让我们说，我不想手动填充文本字段中的数据，而是我想以编程方式。我做的是，我创建一个HTML页面与javascript和火灾关闭POST请求以及参数（即textField的值）。现在，因为我的请求不是来自任何域，服务器忽略我的请求的服务。和我得到跨域错误？

同样，我也可以编写一个Java程序，使用HTTPClient / Post请求并做同样的事情。

问题2：这是什么问题？

现在，CORS提供给我们的是，服务器会说任何人都可以访问myPage.php。
从启用cors.org ，它表示

对于简单的CORS请求，服务器只需要在其响应中添加以下头：
Access-Control-Allow-Origin：*

现在，客户端将如何处理这个头。就像在，客户端反正想调用服务器上的资源？它应该是upto服务器只是配置自己是否要接受或不接受，并采取相应的行动。

问题3：将标题发送回客户端的用法是什么

最后，我没有得到的是，我正在为我的Android应用程序构建一些RESTful服务。现在，假设我有一个POST服务 www.mydomain.com/rest/services/myPost 。我有我的Tomcat服务器托管这些服务在我的本地机器上。

在我的android应用程序，我只是调用此服务，并获得结果。在这种情况下，我在哪里使用CORS。这是否属于不同类别的服务器调用？如果是，那么究竟是什么。

此外，我查看了启用Tomcat的Cors ，并说我可以在我的动态Web项目的web.xml中添加一个过滤器，然后它将开始接受它。

问题4：是什么启用从我的Android设备到我的网络服务的呼叫？ >

感谢

解决方案

1. 所有，跨网域检查由浏览器 执行，而不是服务器。当JavaScript对一个非原始服务器创建 XmlHttpRequest 时，如果浏览器支持CORS，它将初始化一个CORS进程。




2. 当服务器遇到 Origin 时， code> HTTP头，服务器将决定是否在允许的域列表中。如果不在列表中，则请求将失败（即服务器将发送错误响应）。




数字3和4，我想你应该单独问问题。否则这个问题会变得太宽泛。

有关CORS的解释，请参阅程序员的这个答案：http://programmers.stackexchange.com/a/253043/139479

注意：CORS更多的是一个约定。它不保证安全。您可以编写一个不考虑相同域策略的恶意浏览器。它将执行从任何网站抓取的JavaScript。您还可以使用任意 Origin 头创建HTTP标头，并从实现CORS的任何第三方服务器获取信息。 CORS仅在您信任浏览器时有效。

I've been looking on the web regarding CORS, and I wanted to confirm if whatever I made of it is, what it actually is.

Mentioned below is a totally fictional scenario.

I'll take an example of a normal website. Say my html page has a form that takes a text field name. On submitting it, it sends the form data to myPage.php. Now, what happens internally is that, the server sends the request to www.mydomain.com/mydirectory/myPage.php along with the text fields. Now, the server sees that the request was fired off from the same domain/port/protocol

(Question 1. How does server know about all these details. Where does it extract all these details froms?)

Nonetheless, since the request is originated from same domain, it server the php script and returns whatever is required off it.

Now, for the sake of argument, let's say I don't want to manually fill the data in text field, but instead I want to do it programmatically. What I do is, I create a html page with javascript and fire off a POST request along with the parameters (i.e. values of textField). Now since my request is not from any domain as such, the server disregards the service to my request. and I get cross domain error?

Similarly, I could have written a Java program also, that makes use of HTTPClient/Post request and do the same thing.

Question 2 : Is this what the problem is?

Now, what CORS provide us is, that the server will say that 'anyone can access myPage.php'. From enable cors.org it says that

For simple CORS requests, the server only needs to add the following header to its response: Access-Control-Allow-Origin: *

Now, what exactly is the client going to do with this header. As in, the client anyway wanted to make call to the resources on server right? It should be upto server to just configure itself with whether it wants to accept or not, and act accordingly.

Question 3 : What's the use of sending a header back to client (who has already made a request to the server)?

And finally, what I don't get is that, say I am building some RESTful services for my android app. Now, say I have one POST service www.mydomain.com/rest/services/myPost. I've got my Tomcat server hosting these services on my local machine.

In my android app, I just call this service, and get the result back (if any). Where exactly did I use CORS in this case. Does this fall under a different category of server calls? If yes, then how exactly.

Furthermore, I checked Enable Cors for Tomcat and it says that I can add a filter in my web.xml of my dynamic web project, and then it will start accepting it.

Question 4 : Is that what is enabling the calls from my android device to my webservices?

Thanks

解决方案

1. First of all, the cross domain check is performed by the browser, not the server. When the JavaScript makes an XmlHttpRequest to a server other than its origin, if the browser supports CORS it will initialize a CORS process. Or else, the request will result in an error (unless user has deliberately reduced browser security)

2. When the server encounters Origin HTTP header, server will decide if it is in the list of allowed domains. If it is not in the list, the request will fail (i.e. server will send an error response).

For number 3 and 4, I think you should ask separate questions. Otherwise this question will become too broad. And I think it will quickly get close if you do not remove it.

For an explanation of CORS, please see this answer from programmers: http://programmers.stackexchange.com/a/253043/139479

NOTE: CORS is more of a convention. It does not guarantee security. You can write a malicious browser that disregards the same domain policy. And it will execute JavaScript fetched from any site. You can also create HTTP headers with arbitrary Origin headers, and get information from any third party server that implements CORS. CORS only works if you trust your browser.

这篇关于了解CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！