在CORS中,是否预提交凭据的POST请求? [英] In CORS, Are POST request with credentials pre-flighted ?
问题描述
在 MDN Access Cotrol doc 中,GET请求与凭据不预检。但是如果响应头不包括Access-Control-Allow-Credentials:true,那么响应将不可用于调用客户端。如果对于POST(具有凭证的简单POST请求 - 内容类型可以是表单数据)请求也是这样,则存在POST可能改变服务器状态的风险,尽管响应可能不可用于客户端。
预检请求旨在阻止浏览器向服务器发送某些类型的请求,除非服务器明确允许。但是,浏览器可能会在CORS支持出现之前直接向服务器发送经过凭证的POST请求。
在此规范之外生成的简单跨源请求(例如使用GET或POST 的跨源起点形式提交或由脚本元素生成的跨源GET请求)通常包括用户凭据,因此符合此规范的资源必须始终准备期望具有凭证的简单跨源请求。 换句话说,具有凭证的POST请求到达服务器而没有预检没有什么新的能力:开发人员已经能够使它发生,因为浏览器支持 In MDN Access Cotrol doc, GET request with credentials are not preflighted. But if response headers doesn't include Access-Control-Allow-Credentials: true then response will not be available to the invoking client. If this behaviour same for POST (Simple POST request with credentials - Content Type may be form-data) request as well, there is risk that POST might change the server state though response may not be made available to client. Is this assumption correct? OR POST request with credentials pre-flighted? Preflight requests are intended to stop the browser from sending certain kinds of requests to a server unless the server explicitly allows it. However, browsers could already send credentialed POST requests directly to the server prior to the advent of CORS support. The "Security Considerations" part of the CORS spec says (emphasis mine): Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials. In other words, the ability to have credentialed POST requests reach the server without a preflight is nothing new: developers have been able to make it happen ever since browsers supported 这篇关于在CORS中,是否预提交凭据的POST请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
< form> s。因此,要求包含凭证POST请求的Ajax预检没有任何好处。
<form>s. Therefore, there is no benefit to requiring a preflight for Ajax that includes credentialed POST requests.
