gpt4 book ai didi

web - 具有凭据和 "essentially"任何来源的跨源资源共享

转载 作者:行者123 更新时间:2023-12-04 22:28:25 27 4
gpt4 key购买 nike

在 W3C 跨源资源共享建议 (http://www.w3.org/TR/cors/#resource-requests) 的第 3 步中,它指出:

If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.



这随后反射(reflect)在如下代码中:
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = origin;
result.VaryByOrigin = true;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Contains(origin))
{
result.AllowedOrigin = origin;
}

https://github.com/aspnet/CORS/blob/release/src/Microsoft.AspNet.Cors/CorsService.cs#L219

我的问题是这如何安全?如果服务器被指示只是解决限制,那么当允许凭据时,浏览器在允许的来源中拒绝 * 有什么意义?

最佳答案

@BrainSlugs83 的评论似乎回答了这个问题,所以我在这里复制它:

This is not secure! -- it's essentially doing the C# version of the "workaround" posted here: https://stackoverflow.com/a/25623518/398630

This code defeats the purpose of the CORS restriction.

关于web - 具有凭据和 "essentially"任何来源的跨源资源共享,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34079993/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com