CORS - 引入预检请求的动机是什么?
本文翻译自:CORS - What is the motivation behind introducing preflight requests?
Cross-origin resource sharing is a mechanism that allows a web page to make XMLHttpRequests to another domain (from wikipedia ). 跨源资源共享是一种允许网页将XMLHttpRequests发送到另一个域(来自维基百科 )的机制。
I've been fiddling with CORS for the last couple of days and I think I have a pretty good understanding of how everything works. 在过去的几天里,我一直在调整CORS,我想我对一切运作方式都有很好的理解。
So my question is not about how CORS / preflight work, it's about the reason behind coming up with preflights as a new request type . 所以我的问题不是关于CORS /预检如何工作,而是关于将预检作为新请求类型的原因 。 I fail to see any reason why server A needs to send a preflight (PR) to server B just to find out if the real request (RR) will be accepted or not - it would certainly be possible for B to accept/reject RR without any prior PR. 我没有看到任何理由为什么服务器A需要向服务器B发送预检(PR)以确定是否接受真实请求(RR) - B当然可以接受/拒绝RR而不用任何先前的公关。
After searching quite a bit I found this piece of information at www.w3.org (7.1.5): 经过相当多的搜索,我在www.w3.org(7.1.5)上找到了这条信息:
To protect resources against cross-origin requests that could not originate from certain user agents before this specification existed a preflight request is made to ensure that the resource is aware of this specification. 为了保护资源免受在此规范存在之前不能源自某些用户代理的跨源请求,进行预检请求以确保资源知道此规范。
I find this is the hardest to understand sentence ever. 我发现这是最难理解的句子。 My interpretation (should better call it 'best guess') is that it's about protecting server B against requests from server C that is not aware of the spec. 我的解释(最好称之为“最佳猜测”)是关于保护服务器B免受来自服务器C的不知道规范的请求。
Can someone please explain a scenario / show a problem that PR + RR solves better than RR alone? 有人可以解释一个场景/显示PR + RR解决的问题比单独的RR更好吗?
#1楼
参考:https://stackoom.com/question/12XKL/CORS-引入预检请求的动机是什么
#2楼
CORS allows you to specify more headers and method types than was previously possible with cross-origin <img src> or <form action> . CORS允许您指定比以前使用跨源<img src>或<form action>更多的标头和方法类型。
Some servers could have been (poorly) protected with the assumption that a browser cannot make, eg cross-origin DELETE request or cross-origin request with X-Requested-With header, so such requests are "trusted". 一些服务器可能(差)受到保护,假设浏览器无法进行,例如跨源DELETE请求或带有X-Requested-With标头的跨源请求,因此这些请求是“可信的”。
To make sure that server really-really supports CORS and not just happens to respond to random requests, the preflight is executed. 为了确保服务器真正支持CORS而不是恰好响应随机请求,执行预检。
#3楼
Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request 此外,对于可能对用户数据造成副作用的 HTTP请求方法(特别是对于GET以外的HTTP方法,或对某些MIME类型的POST使用),规范要求浏览器“预检”请求
Source 资源
#4楼
Consider the world of cross-domain requests before CORS. 在CORS之前考虑跨域请求的世界。 You could do a standard form POST, or use a script or an image tag to issue a GET request. 您可以执行标准表单POST,或使用script或image标记来发出GET请求。 You couldn't make any other request type other than GET/POST, and you couldn't issue any custom headers on these requests. 除了GET / POST之外,您无法创建任何其他请求类型,并且您无法在这些请求上发出任何自定义标头。
With the advent of CORS, the spec authors were faced with the challenge of introducing a new cross-domain mechanism without breaking the existing semantics of the web. 随着CORS的出现,规范作者面临着在不破坏Web现有语义的情况下引入新的跨域机制的挑战。 They chose to do this by giving servers a way to opt-in to any new request type. 他们选择通过为服务器提供选择加入任何新请求类型的方式来实现此目的。 This opt-in is the preflight request. 此选择加入是预检请求。
So GET/POST requests without any custom headers don't need a preflight, since these requests were already possible before CORS. 因此,没有任何自定义标头的GET / POST请求不需要预检,因为这些请求在CORS之前已经可以实现。 But any request with custom headers, or PUT/DELETE requests, do need a preflight, since these are new to the CORS spec. 但是任何带有自定义标头或PUT / DELETE请求的请求都需要预检,因为这些是CORS规范的新功能。 If the server knows nothing about CORS, it will reply without any CORS-specific headers, and the actual request will not be made. 如果服务器对CORS一无所知,它将在没有任何特定于CORS的标头的情况下进行回复,并且不会发出实际请求。
Without the preflight request, servers could begin seeing unexpected requests from browsers. 如果没有预检请求,服务器可能会开始看到来自浏览器的意外请求。 This could lead to a security issue if the servers weren't prepared for these types of requests. 如果服务器没有为这些类型的请求做好准备,这可能会导致安全问题。 The CORS preflight allows cross-domain requests to be introduced to the web in a safe manner. CORS预检允许以安全的方式将跨域请求引入Web。
#5楼
I spent some time being confused as to the purpose of the preflight request but I think I've got it now. 我花了一些时间对飞行前请求的目的感到困惑,但我想我现在已经得到了它。
The key insight is that preflight requests are not a security thing. 关键的见解是,预检请求不是安全问题。 Rather, they're a not-changing-the-rules thing. 相反,它们是一个不改变规则的东西。
Preflight requests have nothing to do with security, and they have no bearing on applications that are being developed now, with an awareness of CORS. 预检请求与安全性无关,它们与现在正在开发的应用程序无关,并且具有CORS的意识。 Rather, the preflight mechanism benefits servers that were developed without an awareness of CORS, and it functions as a sanity check between the client and the server that they are both CORS-aware. 相反,预检机制有利于在没有 CORS意识的情况下开发的服务器,它可以作为客户端和服务器之间的完整性检查,它们都是CORS感知的。 The developers of CORS felt that there were enough servers out there that were relying on the assumption that they would never receive, eg a cross-domain DELETE request that they invented the preflight mechanism to allow both sides to opt-in. CORS的开发人员觉得有足够的服务器依赖于他们永远不会收到的假设,例如他们发明了预检机制以允许双方选择加入的跨域DELETE请求。 They felt that the alternative, which would have been to simply enable the cross-domain calls, would have broken too many existing applications. 他们认为,只需启用跨域调用的替代方案就会破坏太多现有应用程序。
There are three scenarios here: 这里有三种情况:
Old servers, no longer under development, and developed before CORS. 旧服务器,不再开发,并在CORS之前开发。 These servers may make assumptions that they'll never receive eg a cross-domain DELETE request. 这些服务器可能会做出他们永远不会收到的假设,例如跨域DELETE请求。 This scenario is the primary beneficiary of the preflight mechanism. 这种情况是预检机制的主要受益者。 Yes these services could already be abused by a malicious or non-conforming user agent (and CORS does nothing to change this), but in a world with CORS the preflight mechanism provides an extra 'sanity check' so that clients and servers don't break because the underlying rules of the web have changed. 是的,这些服务可能已经被恶意或不符合要求的用户代理滥用(并且CORS没有做任何改变),但在具有CORS的世界中,预检机制提供额外的“健全性检查”,以便客户端和服务器不会因为网络的基本规则已经改变而中断。
Servers that are still under development, but which contain a lot of old code and for which it's not feasible/desirable to audit all the old code to make sure it works properly in a cross-domain world. 仍在开发中但包含大量旧代码的服务器,并且审计所有旧代码以确保它在跨域社区中正常工作是不可行/不可取的。 This scenario allows servers to progressively opt-in to CORS, eg by saying "Now I'll allow this particular header", "Now I'll allow this particular HTTP verb", "Now I'll allow cookies/auth information to be sent", etc. This scenario benefits from the preflight mechanism. 这种情况允许服务器逐步选择加入CORS,例如通过说“现在我将允许这个特定的标题”,“现在我将允许这个特定的HTTP动词”,“现在我将允许cookie / auth信息是发送“,等等。 这种情况得益于预检机制。
New servers that are written with an awareness of CORS. 编写了具有CORS意识的新服务器。 According to standard security practices, the server has to protect its resources in the face of any incoming request -- servers can't trust clients to not do malicious things. 根据标准安全实践,服务器必须在面对任何传入请求时保护其资源 - 服务器不能信任客户端不做恶意事情。 This scenario doesn't benefit from the preflight mechanism : the preflight mechanism brings no additional security to a server that has properly protected its resources. 这种情况不会受益于预检机制 :预检机制不会为正确保护其资源的服务器带来额外的安全性。
#6楼
Aren't the preflighted requests about Performance ? 是不是有关性能的预先要求? With the preflighted requests a client can quickly know if the operation is allowed before send a large amount of data, eg, in JSON with PUT method. 利用预检请求,客户端可以在发送大量数据之前快速知道是否允许操作,例如,使用PUT方法的JSON。 Or before travel sensitive data in authentication headers over the wire. 或者通过线路在认证标题中传输敏感数据之前。
The fact of PUT, DELETE, and other methods, besides custom headers, aren't allowed by default(They need explicit permission with "Access-Control-Request-Methods" and "Access-Control-Request-Headers"), that sounds just like a double-check, because these operations could have more implications to the user data, instead GET requests. 除了自定义标头之外,PUT,DELETE和其他方法的事实在默认情况下是不允许的(它们需要使用“Access-Control-Request-Methods”和“Access-Control-Request-Headers”的显式权限)就像仔细检查一样,因为这些操作可能会对用户数据产生更多影响,而不是GET请求。 So, it sounds like: 所以,听起来像是:
"I saw that you allow cross-site requests from http://foo.example , BUT are you SURE that you'll allow DELETE requests? Did you consider the impacts that these requests might cause in the user data?" “我看到您允许来自http://foo.example的跨站点请求,但是您确定要允许DELETE请求吗?您是否考虑过这些请求可能对用户数据造成的影响?”
I didn't understand the cited correlation between the preflighted requests and the old servers benefits. 我不理解预检请求和旧服务器优势之间的引用关联。 A Web Service that was implemented before CORS, or without a CORS awareness, will never receive ANY cross-site request, because first their response won't have the "Access-Control-Allow-Origin" header. 在CORS之前实现或没有CORS感知的Web服务将永远不会收到任何跨站点请求,因为首先它们的响应将不具有“Access-Control-Allow-Origin”标头。
CORS - 引入预检请求的动机是什么?相关推荐
- 对CORS OPTIONS预检请求的一些思考
前后端分离模大势所趋,跨域问题更是老生常谈. <程序员应对浏览器同源策略的姿势>一文提到三种跨域请求方案,重点讲述了w3c和浏览器厂商推出的CORS规范. 同源策略 所谓同源是指域名.协 ...
- CORS预检请求详谈
引言 最近在项目中因前后端部署不同地方,前端在请求后端api时发生了跨域请求,我们采用CORS(跨域资源共享)来解决跨域请求,这需要前后端的配合来完成.在这一过程中,后端支持了CORS跨域请求后,前端 ...
- 浏览器预检请求返回400 has been blocked by CORS policy: Response to preflight request doesn’t pass access cont
这个问题也是很过分头一次遇到,原因是谷歌浏览器在有跨域(CORS)请求时,会先发送一个preflight(预检)请求,之后才会发送fetch请求. CORS:跨源资源共享 (CORS)(或通俗地译为跨 ...
- 对预检请求的响应未通过访问控制检查
本文翻译自:Response to preflight request doesn't pass access control check I'm getting this error using n ...
- OPTIONS预检请求
1.options请求是什么?什么时候浏览器会发送预检请求 options是预检请求,在真正的请求发送出去之前,浏览器都会先发送一个options请求 向服务器询问此接口是否允许我访问.浏览器在当前真 ...
- 从前后端的角度分析options预检请求——打破前后端联调的理解障碍
文章目录 1.从前端的角度看options--post请求之前一定会有options请求?信口雌黄! 2.从后端的角度看options--post请求之前一定会有options请求?胡说八道! 1.从 ...
- Chrome98和Chrome101的跨域变化,httpOPTIONS预检请求,私有网络访问限制
在Chrome94更新时,发现访问本地服务器的时候谷歌浏览器限制了访问本地资源 当时通过一个浏览器设置进行了处理.但是治标不治本,98版本更新后又出现了CORS跨域问题.查询了一下资料: Chrome ...
- 什么时候会发送options请求(预检请求)
OPTIONS请求即预检请求,可用于检测服务器允许的http方法.当发起跨域请求时,由于安全原因,触发一定条件时浏览器会在正式请求之前自动先发起OPTIONS请求,即CORS预检请求,服务器若接受该跨 ...
- 跨域请求避免OPTIONS请求(预检请求)
有时候前后端分离域名不一致,会造成跨域请求 而跨域请求有时候会自动发起两次请求,第一次为预检请求,即OPTIONS请求 一般来说使用 application/json 的 post 请求是必然会带入O ...
最新文章
- 售前比售后机器人控制逻辑更复杂,仅凭大规模数据后发优势难赶超!
- python处理大量excel数据-使用python将大量数据导出到Excel中的小技巧分享
- H5开发 连接蓝牙打印机 打印标签(斑马ZR628)
- [BUUCTF-pwn]——not_the_same_3dsctf_2016
- JDK源码学习路线~每天学一点~每天进步一点点
- wince内存配置(转gooogleman的工作日志)
- Linux bind DNS配置
- html强制文档模式ie8,html5 – IE9:强制IE9浏览器模式和文档模式
- springboot jvm参数
- Java基本数据类型自动转换
- android webp格式的图片,Android使用webp格式图片的步骤
- Symbol数据类型
- 乔治城大学计算机专业,美国乔治城大学计算机
- linux系统查看电脑cpu,linux系统怎么查看自己电脑的cpu位数
- 微信小程序日期选择器控件xxxx-xx-xx格式
- CSS实现三角形、扇形、半圆以及圆形
- 谈谈个人网站的建立(五)—— 小集群的部署
- Java正则表达式 - Matcher
- flask 发送新浪邮箱邮件
- JavaScript 获取当前日期——JS 中的今天日期