适用于HTML5混合应用程序的CORS [英] CORS for HTML5 Hybrid App
问题描述
我已经阅读了很多关于CORS的内容以及如何允许Access-Control-Allow-Origin:*是Web服务器的安全漏洞。但是这篇文章都没有解释我们如何允许HTML5混合应用程序访问某些域上托管的Web服务,这些域服务器不允许使用通配符char *
I have read lot of things about CORS and how allowing Access-Control-Allow-Origin: * is security vulnerability to web server. But none of the article explained about how we can allow HTML5 hybrid application to access web services hosted on some domain which disallowed the wildcard char *
我的问题是:至于我的知识HTML5混合应用程序不能在我们可以在Access-Control-Allow-Origin列表中设置为白名单域的任何特定域上运行。那么我们如何仍然可以通过web服务器上的Ajax调用从混合APP请求数据访问Web服务数据,该服务器在Access-Control-Allow-Origin标签下禁用*?
My question is: as far as my knowledge HTML5 hybrid app does not run on any specific domain that can we set as a whitelisted domain at the Access-Control-Allow-Origin lists. Then how we can still access the web service data from the hybrid APP request data through ajax call over web server which disallowing * under Access-Control-Allow-Origin tag?
推荐答案
在设备上运行时,您的应用程序将在浏览器中运行,但将从本地文件系统运行(从类似于file://path/to/index.html的位置)。因此,不存在原点。浏览器不会执行任何预检OPTIONS请求,也不会因为交叉原因问题而阻止对API的调用,因为没有原点。
When running on a device, your app will run in the browser, but will run from the local filesystem (from a location similar to file://path/to/index.html). Therefore, an origin does not exist. The browser will not do any preflight OPTIONS request, nor will it block calls to the API because of cross origin issues, simply because there is no origin.
出于这个原因,您可以将服务器配置为仅允许相同的源请求,以确保安全。仍然允许从设备拨打电话。但是,当您在本地开发计算机上的浏览器中运行应用程序时(出于测试目的),您可能会遇到CORS问题,因为在这种情况下,是的原点。您可以通过允许本地域访问API(记住在生产中删除它),使用浏览器插件禁用CORS或使用代理来解决此问题。
For this reason, you can configure your server to only allow same origin requests, to keep things secure. Calls made from the device will still be allowed. However, when you run your app in the browser on your local dev machine (for testing purposes), you might run into CORS issues, because in this case there is an origin. You can solve this by allowing your local domain to access the API (remember to remove it in production), by using a browser plugin to disable CORS, or by using a proxy.
这篇关于适用于HTML5混合应用程序的CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
