[英]Few questions about CORS and AJAX
So I wish to make some cross domain AJAX requests and wanted to check a few things. 因此,我希望提出一些跨域AJAX请求,并希望检查一些内容。
Access-Control-Allow-Origin
header is set on the response from the server I am making an AJAX request to. 我需要确保在向AJAX请求发送的服务器的响应上设置Access-Control-Allow-Origin
标头。 Other than allowing every site to make a request, are there any security risks from setting this to *
? 除了允许每个站点都发出请求之外,将其设置为*
还会有安全隐患吗? Is it possible to get CORS to work on IE < 8? 是否可以使CORS在IE <8上工作?
Unfortunately not. 不幸的是没有。 Microsoft's XDomainRequest didn't arrive until IE8. 微软的XDomainRequest直到IE8才出现。
Other than allowing every site to make a request, are there any security risks from setting Access-Control-Allow-Origin to *? 除了允许每个站点都发出请求外,将Access-Control-Allow-Origin设置为*是否有安全隐患?
Strictly speaking no, but this in itself presents a range of potential security issues. 严格来说不,但这本身就带来了一系列潜在的安全问题。 Unless you need all origins allowed, configuring a whitelist is preferred. 除非您需要所有允许的来源,否则最好配置白名单。
From a client security perspective, by DEFAULT a CORS request does not send cookies to the server I am making the AJAX request to. 从客户端安全的角度来看,默认情况下,CORS请求不会将cookie发送到我向其发出AJAX请求的服务器。 HOWEVER, it is possible. 但是,有可能。 Is this statement correct? 这句话正确吗?
Yes, correct. 是,对的。 If you want to include cookies, you must configure the XHR's withCredentials
property. 如果要包括cookie,则必须配置XHR的withCredentials
属性。
Additional information: 附加信息:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.