跨域表单发布 [英] Cross Domain Form POSTing

问题描述

我已经看过关于这个主题的文章和帖子（包括SO），而主要的评论是同源策略阻止跨域的表单POST。我见过某人的唯一地方表明，同源政策不适用于表格帖子，在这里。

I've seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I've seen someone suggest that same-origin policy does not apply to form posts, is here.

我想要一个来自更官方或正式来源的答案。例如，有没有人知道解决同源问题如何影响表单POST的RFC？

I'd like to have an answer from a more "official" or formal source. For example, does anyone know the RFC that addresses how same-origin does or does not affect a form POST?

澄清：我不是询问是否可以构建GET或POST并将其发送到任何域。我询问：如果Chrome，IE或Firefox允许来自域Y的内容将POST发送到域X，则请求：

clarification: I am not asking if a GET or POST can be constructed and sent to any domain. I am asking:

如果接收POST的服务器实际上看到任何表单值，

2. 。我这样说是因为大多数在线讨论记录的测试人员表示服务器收到了帖子，但表单值全部为空/剥离。


3. 什么官方文档（即RFC）解释了什么预期的行为是（不管浏览器当前实现的是什么）。
   

1. if Chrome, IE, or Firefox will allow content from domain 'Y' to send a POST to domain 'X'
2. if the server receiving the POST will actually see any form values at all. I say this because the majority of online discussion records testers saying the server received the post, but the form values were all empty / stripped out.
3. What official document (i.e. RFC) explains what the expected behavior is (regardless of what the browsers have currently implemented).

顺便说一句，如果相同来源不影响表单POST，那么它使得为什么需要防伪令牌更为明显。我说有点，因为看起来很容易相信攻击者可以简单地发出一个HTTP GET来检索包含反伪造令牌的表单，然后创建一个包含相同令牌的非法POST。评论？

Incidentally, if same-origin does not affect form POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary. I say "somewhat" because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token, and then make an illicit POST which contains that same token. Comments?

推荐答案

相同的原产地策略仅适用于浏览器端编程语言。因此，如果您尝试使用JavaScript发布到与原始服务器不同的服务器，那么相同的原产地策略将发挥作用，但如果您直接从表单发布，即操作指向不同的服务器，如：

The same origin policy is applicable only for browser side programming languages. So if you try to post to a different server than the origin server using JavaScript, then the same origin policy comes into play but if you post directly from the form i.e. the action points to a different server like:

<form action="http://someotherserver.com">

并且在发布表单时没有涉及javascript，则相同的原始策略不适用。

and there is no javascript involved in posting the form, then the same origin policy is not applicable.

有关详情，请参阅维基百科

这篇关于跨域表单发布的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！