EnableCors如何限制原始访问 [英] How does EnableCors restrict the origin access

问题描述

我已经创建了一个WebAPI控制器，如下所示

I have created a WebAPI controller as below

[EnableCors("http://localhost:1234", "*", "*"]
public class DummyController : ApiController
{
    public string GetDummy()
    {
        return "Iam not DUMMY";
    }
}

当我使用来自我的应用程序的ajax点击服务时，该服务托管于 locahost：5678 它会抛出错误，因为它不被允许但是当我从像RestMan这样的restclient点击相同的API时它会返回数据。

When I hit the service using ajax from my application which is hosted on locahost:5678 It throws error since it is not allowed but when I hit the same API from restclient like PostMan it returns data.

问题

1）CORS仅限制ajax请求而不限制正常的HTTP请求，因为我相信邮递员会发送正常的http请求。

1) CORS restricts only ajax requests and not the normal HTTP requests because I believe postman sends normal http requests.

2）EnableCors如何限制提供的来源？考虑我是否修改了ajax请求中的 origin和referrer params我可以捕获值。 CORS使用什么策略来识别引荐来源URL。

2) How does EnableCors restrict to provided origins? Consider if I modify the origin and referrer params in the ajax request I can fish the values. What strategy does CORS use to identify the referrer URL.

由于W3C声明HttpReferrer可以很容易地修改，因此不应该依赖其值来授权访问。如果是这样的话，EnableCors会在后面检查什么来授权原点。

As W3C states HttpReferrer can be easily modified, one should not depend on its value to authorize the access. If that is the case What does EnableCors checking in behind to authorize the origin.

我也可以在ajax请求中更改我的原点。请帮助我这个Iam非常困惑

I could just change my origin in ajax request also. Please help me with this Iam pretty much confused

推荐答案

CORS仅限制ajax请求而不是正常HTTP请求，因为我相信postman发送正常的http请求。

CORS restricts only ajax requests and not the normal HTTP requests because I believe postman sends normal http requests.

是的，特别是 browsers 限制Ajax请求 - 那个是的，默认情况下，浏览器不允许前端JavaScript代码访问来自使用XMLHttpRequest，Fetch API或来自JavaScript库的Ajax方法的跨源请求的响应。

Yes, specifically browsers restrict Ajax requests — that is, browsers by default don’t allow frontend JavaScript code to access responses from cross-origin requests made with XMLHttpRequest, the Fetch API, or with Ajax methods from JavaScript libraries.

服务器本身不对跨源请求强制执行任何限制;相反，服务器会向任何向其发出请求的客户端发送响应，包括邮递员 - 包括浏览器。

Servers don’t themselves enforce any restrictions on cross-origin requests; instead, servers send responses to any clients that make requests to them, including postman — and including browsers.

浏览器本身总能得到任何其他客户的响应;但仅仅因为浏览器获得响应并不意味着浏览器将允许前端JavaScript代码访问该响应。如果响应包含 Access-Control-Allow-Origin 标题，浏览器将仅显示对前端代码的跨源请求的响应。

Browsers themselves always get the responses that any other client would; but just because the browser gets a response doesn’t mean the browser will allow frontend JavaScript code to access that response. Browsers will only expose a response for a cross-origin request to frontend code if the response includes the Access-Control-Allow-Origin header.

EnableCors如何限制提供的来源？

How does EnableCors restrict to provided origins?

它没有。当您启用CORS启用服务器时，唯一的影响是使服务器根据它收到的特定请求标头的值发送其他响应标头 - 特别是 Origin 请求标题。

It doesn’t. When you CORS-enable a server, the only effect that has is to cause the server to send additional response headers, based on the values of particular request headers it receives — in particular, the Origin request header.

考虑我是否修改来源和引用参数在ajax请求中我可以捕获值。 CORS使用什么策略来识别引荐来源网址。

Consider if I modify the origin and referrer params in the ajax request I can fish the values. What strategy does CORS use to identify the referrer URL.

服务器不会（也不能）对 Origin 值以确认它没有被欺骗或其他什么。但CORS协议不要求服务器这样做 - 因为所有CORS执行都是由浏览器完成的。

Servers don’t (and can’t) do any validation of the Origin value to confirm it hasn’t been spoofed or whatever. But the CORS protocol doesn’t require servers to do that — because all CORS enforcement is done by browsers.

因为W3C声明HttpReferrer可以容易修改，不应该依赖于它的值来授权访问。如果是这样的话，EnableCors会在后面检查什么来授权原点。

As W3C states HttpReferrer can be easily modified, one should not depend on its value to authorize the access. If that is the case What does EnableCors checking in behind to authorize the origin.

我也可以在ajax请求中更改我的原点。请帮助我这个Iam非常困惑

I could just change my origin in ajax request also. Please help me with this Iam pretty much confused

浏览器知道发送的任何前端代码的真正来源一个跨源请求，浏览器根据他们知道的请求的真正来源进行CORS检查 - 而不是反对 Origin 标头的值。

Browsers know the real origin of any frontend code that sends a cross-origin request, and browsers do CORS checks against what they know to be the real origin of the request — and not against the value of the Origin header.

浏览器是设置 Origin 请求标头，并通过网络发送开始;他们根据他们所知道的真正来源设置 Origin 值，而不是为了他们自己的用途 - 因为他们已经知道原点是什么，那个价值就是他们的价值内部使用。

Browsers are what set the Origin request header and send it over the network to begin with; they set the Origin value based on what they know to be the real origin, and not for their own use — because they already know what the origin is and that value is what they use internally.

因此，即使您设法为请求更改 Origin 标头，也无关紧要到浏览器 - 它将忽略该值并继续检查真实来源。

So even if you manage to change an Origin header for a request, that won’t matter to the browser — it’s going to ignore that value and continue checking against the real origin.

cf。
的答案 在相应的安全性中，允许特定域的CORS是否有意义？

这篇关于EnableCors如何限制原始访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！