我的理解,如果一个客户端脚本的网页上运行,从foo.com的方式希望从bar.com请求数据,在请求必须指定标题产地:HTTP: //foo.com
,和酒吧必须以响应访问控制 - 允许 - 产地:http://foo.com
The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com
, and bar must respond with Access-Control-Allow-Origin: http://foo.com
.
有什么需要停止从网站roh.com恶意code从简单的欺骗头产地:http://foo.com
来请求页面吧?
What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com
to request pages from bar?
浏览器是在设置原产地
头,和用户不能覆盖该值的控制权。所以你不会看到原产地
头从浏览器欺骗。恶意用户可以制作一个卷曲请求手动设置原产地
头,但这一要求将来自浏览器之外,可能没有特定于浏览器的信息(如饼干)。
Browsers are in control of setting the Origin
header, and user's can't override this value. So you won't see the Origin
header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin
header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).
记住:CORS是不是安全。不要依赖CORS,以确保您的网站。如果你是提供保护的数据,使用Cookie或OAuth的令牌或东西比产地等
头,以确保这些数据。该在CORS访问控制 - 允许 - 原产地
头只规定了哪些起源应该被允许做跨域请求。不要依赖于它的任何东西。
Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin
header to secure that data. The Access-Control-Allow-Origin
header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.
上一篇:jQuery的.getscript()时,脚本被完全加载和执行回调回调、脚本、加载、jQuery
下一篇:ASP.NET MVC 3 - Ajax.BeginForm VS jQuery的表格插件表格、插件、MVC、NET