CORS 插件 / --disable-web-security 如何在浏览器上工作?
[英]How does CORS plugin / --disable-web-security work on browser?
问题描述
I'm sure I'm not the only one who have used/uses CORS plugins for browsers or --disable-web-security flag while making API calls to external (or even internal) API endpoints.
我确定我不是唯一一个在对外部(甚至内部)API 端点进行 API 调用时使用/使用CORS plugins浏览器插件或--disable-web-security标志的人。 I used this plugin to make Google Maps related API calls.我用这个插件拨打了谷歌地图相关的 API 电话。 But within the same application, ParseSDK API calls needed no CORS or --disable-web-security flag.但在同一应用程序中,ParseSDK API 调用不需要CORS或--disable-web-security标志。
My question is: Why are these endpoints acting differently and how does CORS plugin solve the problem (even though we don't have control over those APIs)?我的问题是:为什么这些端点的行为不同以及 CORS 插件如何解决问题(即使我们无法控制这些 API)?
Thanks in advance.提前致谢。
2 个解决方案
解决方案1
3 已采纳 2016-07-04 22:23:08
Well, what that plugin does is highly irresponsible;好吧,该插件所做的事情是非常不负责任的; It actually disables the same origin policy, which enforces that a website on a specific origin can only make requests to that origin.它实际上禁用了同源策略,该策略强制特定源上的网站只能向该源发出请求。
The same origin policy actually just prevents a website from reading the response of a GET/POST request, the request itself is made, because its considered save.同源策略实际上只是阻止网站读取 GET/POST 请求的响应,请求本身是发出的,因为它被认为是保存。
Over time this good security feature became a burden and people used workarounds like JSONP.随着时间的推移,这种良好的安全功能成为一种负担,人们使用了像 JSONP 这样的变通方法。
So we got a new, standardized way to access foreign origins:所以我们有了一种新的、标准化的方式来访问外国来源:
CORS (Cross-Origin Resource Sharing) is a mechanism that allows a web server to specify that another origin is allowed to access its content. CORS(跨源资源共享)是一种机制,允许 Web 服务器指定允许另一个源访问其内容。 This is done with Access-Control-Allow-Origin: example.com which allows example.com to access the response even if the response is from a different origin.这是通过Access-Control-Allow-Origin: example.com ,它允许 example.com 访问响应,即使响应来自不同的来源。
The Access-Control-Allow-Credentials: true would also allow the credentials, which includes cookies and HTTP Basic authentication to be sent within the request. Access-Control-Allow-Credentials: true还允许在请求中发送凭据,其中包括 cookie 和 HTTP 基本身份验证。
You can also specify a wildcard for Access-Control-Allow-Origin: * , which allows all websites to access this response.您还可以为Access-Control-Allow-Origin: *指定通配符,它允许所有网站访问此响应。 However when you do this you have to specify Access-Control-Allow-Credentials: false , so no credentials are exposed.但是,当您执行此操作时,您必须指定Access-Control-Allow-Credentials: false ,因此不会公开任何凭据。
This is the only correct way to implement a public accessible AJAX API in the internet.这是在 Internet 中实现公共可访问 AJAX API 的唯一正确方法。
However this plugin just simply disables the same origin policy completely which is extremely dangerous .然而这个插件只是简单的完全禁用同源策略,这是极其危险的。
解决方案2
2 2016-07-04 22:16:07
The link you posted (did you read the description?) specifies exactly what the extension does - it adds the Access-Control-Allow-Origin: * header to all responses.您发布的链接(您是否阅读了说明?)准确指定了扩展程序的作用 - 它向所有响应添加了Access-Control-Allow-Origin: *标头。 This is a CORS header that normally the server sends to notify the browser that you are allowed to make requests from arbitrary origins.这是一个 CORS 标头,通常服务器发送它以通知浏览器您可以从任意来源发出请求。
Parse SDK probably supports CORS on their server end. Parse SDK 可能在其服务器端支持 CORS。
Just for your information, when most people say CORS they are not referring to a browser extension.仅供参考,当大多数人说 CORS 时,他们并不是指浏览器扩展。 They're referring to the web standard called CORS.他们指的是称为 CORS 的网络标准。 Documentation below.文档如下。
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.