CORS

CORS

关注
发信
关注(28)粉丝(399)

CORS我应该强制实施原产头的概念和?

本文介绍了CORS我应该强制实施原产头的概念和?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

据我了解 CORS不能确切地保护你的方式,你可以真正确保来电者是谁。因为呼叫者可以发送任何来源的头,他想要的。其实我读的地方,你不能设置通过JavaScript的起源头,因为它是一个受限制的头 - 但我不能肯定这一点。无论如何..如果你要实现你自己的HttpClient你可以很容易伪造产地的包头和因此消耗,你不应该使用服务。

As far as I understand CORS cannot exactly protect you in the way that you can really be sure who the caller is. Because the caller can send any ORIGIN header he wants. Actually I read somewhere you cannot set the origin header via javascript as it is a restricted header - but I'm not quite sure of that. Anyway.. if you were to implement your own HttpClient you could easily forge your origin header and therefore consume services which you are not supposed to consume.

其次如果没有指定产地头请求作品以及。比如我使用谷歌Chrome的邮差扩展,它不发送任何起源头。事实上,如果你尝试添加一个手动它不通过网络发送它。

Secondly if no Origin header is specified the request works as well. For example I use Google Chrome's Postman Extension and it doesn't send any origin headers. In fact if you try to add one manually it doesn't send it over the wire.

因此​​...

  • ... 问题1 是:如果我的应用程序拒绝无任何产地头部的请求?和...
  • ... 问题2 :究竟如何赚取CORS我的REST服务更有保障

    Therefore...

  • ...question 1 is: Should my application deny requests without any Origin header? And...
  • ...question 2: How exactly does make CORS my REST service more secure?

    推荐答案

    有浏览器支持CORS,不支持CORS。 (我们是在CORS的早期阶段,CORS规范的跨浏览器的实现并不一致)。

    There are browsers supporting CORS and not supporting CORS. (We are at the early stage of CORS, the implementations of the CORS specification across browsers are not consistent).


    • 不支持在浏览器检测到的横原点请求,该请求被阻塞,而不是发送到服务器CORS装置。

    • 支持CORS意味着浏览器应用CORS政策:发送请求到服务器之前和接收响应之后追加Origin标头,浏览器会检查访问控制允许来源的决定是否丢弃该响应

    同源政策旨在减少XSS攻击的风险,这种攻击主要发生在浏览器中,不太可能在HttpClient的发生。该CORS政策是放宽同源策略,这样,如果你是这两个网站的所有者,您可以利用这一政策,让你的2个站点之间的通信。

    The same-origin policy is intended to reduce the risks of XSS attacks, this attack mostly happens on browsers, not likely to happen in HttpClient. The CORS policy is for relaxing the same-origin policy so that if you are the owner of both sites, you can leverage this policy to allow communications between your 2 sites.

    提示支持CORS意味着浏览器已经应用
      后跨域安全策略已经联系了服务器和有
      得到的响应报头,这意味着请求时,即使
      响应被丢弃,因为所需要的标头缺少或
      指定不同的域。这是一个非常不同的方法
      不实现CORS并且简单地阻塞请求的浏览器,
      从来没有接触到服务器。

    此<一个提取href=\"http://books.google.com.vn/books?id=sr5yu98mCmkC&printsec=frontcover&hl=vi&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false\"相对=nofollow>书

    这篇关于CORS我应该强制实施原产头的概念和?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

    • 10-27 17:20
    Powered by LMLPHP ©2024 CORS 0.005121