CORS是否被认为是不良做法？ [英] Is CORS considered bad practice?

问题描述

我们正在内部网中集成两个系统，使用 CORS 作为跨两个AJAX调用的方法

We are integrating two systems in an intranet, using CORS as a means of making AJAX calls across the two domains.

这被认为是不好的做法吗？是CORS一般被认为是不好的做法吗？

Is this considered bad practice? Is CORS in general considered bad practice?

推荐答案

CORS不是坏习惯。它在所有主要浏览器上支持，并且越来越多的API支持它。实际上，如果您的公共资源不在防火墙之后，这是安全的将 Access-Control-Allow-Origin：* 头放在资源上。

CORS isn’t bad practice. It is supported on all major browsers, and more and more APIs are supporting it. In fact, if you have a public resource that is not behind a firewall, it is safe to put the Access-Control-Allow-Origin: * header on the resource.

但是CORS在服务器上的作用有些混乱。 CORS应该只规定特定资源的跨源策略。换句话说，CORS头部仅意味着指示是否允许来自不同源的请求。我认为混乱是因为服务器有时使用CORS来规定安全策略。 CORS不是安全的。如果服务器具有需要从某些用户保护的资源，则不能仅仅依靠Origin标头来强制执行这一操作。您的服务器需要一些其他安全机制（例如OAuth2和CSRF保护）。

But there is some confusion over the role of CORS on a server. CORS should only dictate the cross-origin policy for a particular resource. In other words, the CORS headers are only meant to indicate whether requests from different origins are allowed. I think the confusion comes in because servers sometimes use CORS to dictate security policy as well. CORS is not security. If servers have resources that need to be protected from certain users, it is not safe to rely solely on the Origin header to enforce this. Your server needs some other mechanism for security (such as OAuth2 and CSRF protection).

这篇关于CORS是否被认为是不良做法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！