Access-Control-Allow-Origin http 标头有什么意义?
我很难理解 Access-Control-Allow-Origin http 标头的意义。
我认为如果客户端(浏览器)从服务器得到一次“否”,那么它就不会发送任何进一步的请求。但chrome和firefox不断发送请求。
谁能告诉我一个现实生活中的例子,这样的标题有意义吗?
谢谢!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Access-Control-Allow-Origin标头应包含“允许”访问资源的源列表。因此,确定哪些域可以向您的服务器请求资源。
例如,发送回
Access-Control-Allow-Origin: *标头将允许所有站点访问所请求的资源。另一方面,发送回
Access-Control-Allow-Origin: http://foo.example.com将仅允许访问 http://foo.example.com。Mozilla 开发者网站 上有更多相关信息
例如
假设我们自己的域中有一个 URL,它返回艺术家音乐专辑的 JSON 集合。它可能看起来像这样:
我们可能在我们的网站上使用一些 AJAX 来获取此 JSON 数据,然后将其显示在我们的网站上。
但是,如果其他站点的某人希望为自己使用我们的 JSON 对象怎么办?也许我们拥有另一个网站
http://subdomain.ourdomain.com,并且希望使用来自ourdomain.com的 Feed。传统上我们无法对该数据发出跨域请求。
通过指定允许访问我们的资源的其他域,我们现在为跨域请求打开了大门。
The
Access-Control-Allow-Originheader should contain a list of origins which are "allowed" to access the resource.Thus, determining which domains can make requests to your server for resources.
For example, sending back a header of
Access-Control-Allow-Origin: *would allow all sites to access the requested resource.On the other hand, sending back
Access-Control-Allow-Origin: http://foo.example.comwill allow access only to http://foo.example.com.There's some more information on this over at the Mozilla Developer Site
For example
Let's suppose we have a URL on our own domain that returns a JSON collection of Music Albums by Artist. It might look like this:
We might use some AJAX on our website to get this JSON data and then display it on our website.
But what if someone from another site wishes to use our JSON object for themselves? Perhaps we have another website
http://subdomain.ourdomain.comwhich we own and would like to use our feed fromourdomain.com.Traditionally we can't make cross-domain requests for this data.
By specifying other domains that are allowed access to our resource, we now open the doors to cross-domain requests.
CORS 实现了跨域的两部分安全视图。它试图解决的问题是,公共互联网上有许多服务器,这些服务器的编写者要么(a)假设没有浏览器允许跨源请求,要么(b)没有考虑过根本就没有。
因此,有些人希望允许跨源通信,但浏览器构建者并不认为他们可以解锁浏览器并突然让所有这些网站暴露出来。为了避免这种情况,他们发明了一种两部分结构。在浏览器允许与服务器进行跨域交互之前,该服务器必须明确表明它愿意允许跨域访问。在简单的情况下,这就是
Access-Control-Allow-Origin。在更复杂的情况下,它是完整的预检机制。服务器确实必须对其资源实施适当的资源访问控制。 CORS 只是允许服务器向浏览器表明它已了解所有问题。
CORS implements a two-part security view of cross-origin. The problem it is trying to solve is that there are many servers sitting out there on the public internet written by people who either (a) assumed that no browser would ever allow a cross-origin request, or (b) didn't think about it at all.
So, some people want to permit cross-origin communications, but the browser-builders do not feel that they can just unlock browsers and suddenly leave all these websites exposed. To avoid this, they invented a two-part structure. Before a browser will permit a cross-origin interaction with a server, that server has to specifically indicate that it is willing to allow cross-origin access. In the simple cases, that's
Access-Control-Allow-Origin. In more complex cases, it's the full preflight mechanism.It's still true that servers have to implement appropriate resource access control on their resources. CORS is just there to allow the server to indicate to browsers that it is aware of all the issues.