关于CORS和AJAX的几个问题
[英]Few questions about CORS and AJAX
问题描述
So I wish to make some cross domain AJAX requests and wanted to check a few things. 
因此,我希望提出一些跨域AJAX请求,并希望检查一些内容。
- Is it possible to get CORS to work on IE < 8? 是否可以使CORS在IE <8上工作?
- I am required to ensure that the
Access-Control-Allow-Originheader is set on the response from the server I am making an AJAX request to.我需要确保在向AJAX请求发送的服务器的响应上设置Access-Control-Allow-Origin标头。 Other than allowing every site to make a request, are there any security risks from setting this to*?除了允许每个站点都发出请求之外,将其设置为*还会有安全隐患吗? - From a client security perspective, by DEFAULT a CORS request does not sent cookies (eg session data) to the server I am making the AJAX request to. 从客户端安全的角度来看, 默认情况下 ,CORS请求不会向我向其发出AJAX请求的服务器发送cookie(例如,会话数据)。 HOWEVER, it is possible to send cookie data etc...is this statement correct? 但是,可以发送cookie数据等...此语句正确吗?
1 个解决方案
解决方案1
0 已采纳 2014-06-17 12:08:41
Is it possible to get CORS to work on IE < 8?
Unfortunately not. 不幸的是没有。 Microsoft's XDomainRequest didn't arrive until IE8. 微软的XDomainRequest直到IE8才出现。
Other than allowing every site to make a request, are there any security risks from setting Access-Control-Allow-Origin to *?
Strictly speaking no, but this in itself presents a range of potential security issues. 严格来说不,但这本身就带来了一系列潜在的安全问题。 Unless you need all origins allowed, configuring a whitelist is preferred. 除非您需要所有允许的来源,否则最好配置白名单。
From a client security perspective, by DEFAULT a CORS request does not send cookies to the server I am making the AJAX request to.
Yes, correct. 是,对的。 If you want to include cookies, you must configure the XHR's withCredentials property. 如果要包括cookie,则必须配置XHR的withCredentials属性。
Additional information: 附加信息:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.