我的理解，如果一个客户端脚本的网页上运行，从foo.com的方式希望从bar.com请求数据，在请求必须指定标题产地：HTTP： //foo.com ，和酒吧必须以响应访问控制 - 允许 - 产地：http://foo.com

The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com, and bar must respond with Access-Control-Allow-Origin: http://foo.com.

有什么需要停止从网站roh.com恶意code从简单的欺骗头产地：http://foo.com 来请求页面吧？

What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com to request pages from bar?

推荐答案

浏览器是在设置原产地头，和用户不能覆盖该值的控制权。所以你不会看到原产地头从浏览器欺骗。恶意用户可以制作一个卷曲请求手动设置原产地头，但这一要求将来自浏览器之外，可能没有特定于浏览器的信息（如饼干）。

Browsers are in control of setting the Origin header, and user's can't override this value. So you won't see the Origin header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).

记住：CORS是不是安全。不要依赖CORS，以确保您的网站。如果你是提供保护的数据，使用Cookie或OAuth的令牌或东西比产地等头，以确保这些数据。该在CORS访问控制 - 允许 - 原产地头只规定了哪些起源应该被允许做跨域请求。不要依赖于它的任何东西。

Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin header to secure that data. The Access-Control-Allow-Origin header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.