CORS - 它保护什么？ [英] CORS - What does it protect?

问题描述

我阅读了 https://developer.mozilla.org/en- US / docs / Web / HTTP / Access_control_CORS 我想知道应该保护什么或者谁。例如，如果您在没有安全限制的模式下启动Chrome，则无需预检即可调用其他域上的所有API。这意味着一个顽皮的家伙可以很容易地解决这个问题。我没有看到这应该如何保护服务器应用程序的所有者，这样的应用程序的所有者可以拥有身份验证来保护其站点。那么受保护的场景是什么？

I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and I wonder what or who that should protect. If you start Chrome for example in a mode without security restrictions it calls all the APIs on the other domain without preflight and whatsoever. This means a naughty guy can get around this very easily. I don't see how this should protect the owner of a server application, the owner of such an application can have an authentication to protect its site. So what is the scenario who gets protected?

推荐答案

这不是受保护的服务的所有者，而是用户。

It's not the owner of the service that gets protected, it's the user.

如果您作为用户登录到没有CORS保护的应用程序A，则应用程序B可以代表用户在应用程序A上发出请求。

If you as a user are logged into application A, without CORS protection, application B can make requests on behalf of the user on application A.

这对用户及其数据非常危险。

This is extremely dangerous for the user and their data.

这篇关于CORS - 它保护什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！