默认情况下,哪些客户端可以/不能访问RESTful Web服务?
[英]What clients can / can't access a RESTful web service by default?
问题描述
I am currently developing an API that will be launched into production in a matter of weeks. 
我目前正在开发一个API,它将在几周内投入生产。 I am relatively new to REST, started reading about CORS - and realized that it could impact me. 我对REST比较陌生,开始阅读有关CORS的信息-并意识到这可能会影响我。
What conditions will a REST service not be accessible to a client? 客户端无法访问REST服务的什么条件? I have been using sample html/js on the same server, and through Postman - a google chrome addon - to access my API. 我一直在同一台服务器上使用示例html / js,并通过Postman(一种Google chrome插件)来访问我的API。 I have had no issues so far. 到目前为止,我还没有任何问题。
When the API goes live, it will be hosted at 'api.myserver.com'. 该API上线后,将托管在“ api.myserver.com”上。 Requests, at the beginning, will come from 'app.myOTHERserver.com'. 最初,请求将来自“ app.myOTHERserver.com”。 Will these requests be denied if I do not use a CORS-friendly approach like JSONP or special 'access-control' headers that permit my domain? 如果我不使用允许我的域的JSONP之类的CORS友好方法或特殊的“访问控制”标头,是否会拒绝这些请求?
What about accessing rest APIs from other non-browser clients? 从其他非浏览器客户端访问rest API怎么办? Such as a C# application? 如C#应用程序? Are these requests permitted by default? 默认情况下是否允许这些请求?
Assuming I do need to add 'access-control' headers server-side, to permit the scenario described above when my API goes live, is it better (performance-wise) to let your web server (NGINX in my case) handle the headers, or should I add them through PHP or NodeJS? 假设我确实需要在服务器端添加“访问控制”标头,以允许在我的API启用时上述情况,让您的Web服务器(在我的情况下为NGINX)处理标头更好(在性能方面) ,还是应该通过PHP或NodeJS添加它们?
2 个解决方案
解决方案1
1 已采纳 2014-08-05 00:47:07
This is more about the same-origin policy applied by web browsers than it is about RESTful APIs in general. 通常,这与 Web浏览器应用的同源策略相比,与RESTful API相比更多。
If your API is intended to be used by web applications deployed on a different origin host/port than the API, then you have these options: 如果您的API打算供与API不在其他原始主机/端口上部署的Web应用程序使用,那么您可以使用以下选项:
- Respond with appropriate headers that allow for techniques like CORS to work. 响应适当的标头,以使诸如CORS之类的技术能够正常工作。
- Have the web server which serves up your web content (in your example,
app.myOTHERserver.com) handle your REST API requests too by proxifying your API requests from the web server through to the API server.通过代理从Web服务器到API服务器的API请求,也让提供您的Web内容的Web服务器(在您的示例中为app.myOTHERserver.com)也处理您的REST API请求。 For example, you could have your API exposed on your web server under the URL/api, and then it's just a matter of setting up a web proxy configuration that forwards requests under that URL to your API server.例如,您可以在Web服务器上的URL /api下公开您的/api,然后只需设置一个Web代理配置即可将该URL下的请求转发到您的API服务器。 - Use JSONP or other techniques. 使用JSONP或其他技术。
If your API is going to be used by non-web applications, you have nothing to worry about. 如果您的API将由非Web应用程序使用,则无需担心。 This is only a restriction applied by browsers when running JavaScript code to make sure that the user hasn't inadvertently clicked on a phishing link with some hackery in it that tries to send their PayPal password to Pyongyang. 这只是浏览器在运行JavaScript代码时施加的限制,以确保用户没有无意中单击带有某些黑客的网络钓鱼链接,该链接试图将其PayPal密码发送给平壤。
解决方案2
0 2014-08-04 21:23:27
When the API goes live, it will be hosted at 'api.myserver.com'.
You can specify what clients can access your web service to an extend. 您可以指定哪些客户端可以扩展访问您的Web服务。 Assuming you're using Express: How to allow CORS? 假设您使用Express: 如何允许CORS?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.