我认为对于XMLHttpRequest.
与其禁止 Javascript 代码向不同的主机发送 http 请求(这对于合法用途来说真的很烦人),在这种情况下只允许请求但不发送或接受 cookie 不是更好吗?
禁止一个特定的脚本来获得互联网上其他人都能获得的东西,乍一看,在我看来这是一个非常奇怪的选择......
我错过了什么?
问问题
566 次
2 回答
2
Instead of forbidding Javascript code to send http request to different hosts (something that is really annoying for legitimate uses) wouldn't have been better to just allow the request but not sending or accepting cookies in that case?
That is what Cross-Origin Resource Sharing (CORS) specifies.
Care must always be taken by applications when making cross-origin requests with user credentials, and servers processing such requests must take care in the use of credentials, including the Origin header.
- When requests have significance other than retrieval, and when relying on the Origin header as a credential, servers must be careful to distinguish between authorizing a request and authorizing access to the representation of that resource in the response.
...
omit credentials flag
Set when user credentials are to be excluded in the request and when cookies are to be ignored in its response.
Forbidding a specific script to get something that literally everyone else in the internet can get seems to me at a first sight a quite weird choice...
What am I missing?
It took web-standards bodies a while to realize that people would want to write serious JavaScript heavy applications. Gmail changed all that but standards bodies like the W3C take a while to fill functionality holes.
于 2012-04-08T09:04:24.177 回答
0
您的建议最初会避免用户数据被利用,但这仍然意味着代码可以从任何其他潜在的恶意域运行,然后可以读取和传输该 cookie 数据,而无需在请求中隐式发送。我想现在的情况是安全性和灵活性之间的最佳折衷。
于 2012-04-08T09:22:02.477 回答