最佳方法:访问控制允许原点多原域 [英] Best method: Access-Control-Allow-Origin Multiple Origin Domains
问题描述
这个问题已经在这里问过,并给出了一个很好的答案,主要是:
访问控制允许原产地多原产地域?
This question has been asked on here before and given an array of good answers, mainly: Access-Control-Allow-Origin Multiple Origin Domains?
然而,似乎有一个缺口解释批准的方法。通过W3文档,我们有什么看起来是一个冲突的指导。
However there seems to be a gap in explanation in terms of the approved method that should be undertaken. Reading through the W3 documentation we have what appears to me to be a conflict of guidance.
首先,我们看到的答案是以 right 的方式在很多以前的答案中指出主机服务器必须动态回送给定的原始,如果它出现在预定义的白名单。
http://www.w3.org/TR/cors/#resource-implementation
Firstly we see the answer given as the right way to do it in a lot of the previous answers which dictates that the host server must dynamically echo back the the given 'Origin' if it appears on a predefined 'whitelist'. http://www.w3.org/TR/cors/#resource-implementation
但是,许多答案和方法也包含空格分隔列表,也可以用作传递多个Origins的方法。如果我们在 http://www.w3.org/wiki/CORS_Enabled 上查看另一篇W3文档,我们会请参阅页面第一部分中的示例:
However a lot of the answers and methods used also allude to a space delimited list which can also be used as a method of passing multiple 'Origins' to allow. If we take a look at another piece of W3 documentation at http://www.w3.org/wiki/CORS_Enabled we see an example of this in the first section of the page as:
Access-Control-Allow-Origin: http://example.com:8080 http://blah.example.com http://foo.example.com
在这两种方法中,我会同样高兴incorparate或者,但是可能有一个大的URL列表,需要被列出,所以我想确保我这样做第一次。如果任何人有任何洞察上述两种方法,我将非常感谢您的选择中听到的决定,如果有一个确定的指导我推荐的方法我可能错过了。
Of these two methods I would be equally happy to incorparate either however there may be a large list of URLs which will need to be whilelisted and so I wanted to ensure that I am doing this corrently first time round. If anyone has any insight into the two methods mentioned above I would be very grateful to hear the decision in your choices and if there is a definitive guide to the recommended method I may have missed.
推荐答案
这里的文档似乎暗示它允许多个起源与空格分隔的列表,但这不是它的实际意思。这里是我可以收集作为您的问题的最确定的答案:访问控制允许原始头应该与原
The documentation on this seems to imply that it allows multiple origins with a space separated list, but that's not what it actually means. Here's what I could gather as the most definitive answer to your question: the Access-Control-Allow-Origin header should be the same value as the Origin header as long as you want to allow it.
它不是一个白名单,你发送回客户端的原因是因为技术上的客户端可以发送一个空格分隔的源列表,以便服务器可以验证请求。原始列表的目的是因为请求可能来自多个来源(即请求被跨域重定向)。 测试套件使您可以通过不同的重定向可能性轻松地观察此行为,即使空格分隔列表是永远不会生成(至少由Firefox生成)。
The reason it's not a whitelist that you send back to the client is because technically the client can send a space separated list of origins so that the server can validate the request. The purpose of origin list then is because the request could've come from multiple origins (ie. the request was redirected across domains). A test suite makes it easy to observe this behavior with varying redirect possibilities, even though a space separated list is never generated (by Firefox at least).
这在第一个 linked W3C document your provided:
This is illustrated lower in the first linked W3C document you provided:
访问控制-Allow-Origin头通过返回响应中的Origin请求头,*或null的值来指示是否可以共享资源。 ABNF:
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response. ABNF:
Access-Control-Allow-Origin =Access-Control-Allow-Origin: origin-list-or-null | *
在实践中,origin-list-or-null生成更受约束。
In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".
再次,在一个原始的字符串中, 原始列表的定义。此外,它显示如果你确实希望允许字符串null作为原点,它将无法嵌入到一个原始列表。
And again in the definition of the origin list. In addition it shows if you do want to allow the string "null" as an origin, it wouldn't be able to be embedded in an origin list anyways.
根据客户端的 Origin 标头,以及是否与您的白名单匹配,动态生成标头。
So stick with the dynamically generated header based on the client's Origin header and whether that matches your whitelist.
这篇关于最佳方法:访问控制允许原点多原域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
