在做跨域从JavaScript客户端 HTTP 的要求,像jQuery(从客户端浏览器)。在接收端,将它就能指出哪里Javascript的请求从何而来?
When doing a cross domain HTTP request from a Javascript client, like JQuery (from a client browser). In the receiving end, will it be able to point out where the Javascript request came from?
例如,我有一个网站,它加载了一个JavaScript,将调用Web服务,比如 foo.com/someapi
Example, I have a site, and it loads up a Javascript that will call a web service, say foo.com/someapi
在API收到请求时,会是什么能够得到始发主机。说我的网站是 bar.com ,当我访问 bar.com/index.html 将加载页面而火起来的JavaScript的HTTP请求 foo.com/someapi
When the API receives the request, what will it be able to get the origination host. Say my site is bar.com and when I access bar.com/index.html it will load up the page and fire up the javascript HTTP request to foo.com/someapi
在客户端的请求没有服务器端请求参与其纯粹的Javascript。
In the client request there was no server side request involved its pure Javascript.
此外,如果将呼叫从一个开发环境中,本地主机一样会是怎样执行的主机名的接收 foo.com/someapi 会得到什么呢?
Furthermore, what if the call is executed from a development environment, like localhost what will be the hostname that the receiving foo.com/someapi will get?
什么是浏览器做的做从Javascript HTTP请求时:
What does a browser do when doing HTTP request from Javascript:
在一个公共领域的网站 并与本地主机的网站推荐答案
@Andbdrew提到了原产地头,这是跨域资源共享的一部分(CORS)规范。这是一个有益的指导,但不一定准确(或总是可用)。
@Andbdrew mentions the Origin header, which is part of the Cross-Origin Resource Sharing (CORS) specification. It's a useful guide, but not necessarily accurate (or always available).
的信息是(几乎)100%可靠的是,从请求传来(或,而最接近的代理服务器的该中继的请求的IP地址)的IP地址的唯一位。需要准确,否则反应将不会回到发出请求的计算机。但是,它仅示出了客户端的位置,并不的是发出请求的页面的原点。 (而这个位置将是相同的,而不管从文件的页面是否被加载,本地主机,或一个外部网站)
The only bit of information that is (almost) 100% reliable is the IP address that the request came from (or, rather the IP address of the closest proxy server that relayed the request). That needs to be accurate or else the response will not get back to the computer that made the request. However, it only shows the location of the client, and not the origin of the page that is making the request. (And this location will be the same, regardless of whether the page was loaded from file, localhost, or an external site)
随着CORS系统,支持的浏览器,什么是的应该的发生是这样的:
With a CORS-supporting browser, what is supposed to happen is this:
客户端请求一个页面,从foo.com
Client requests a page from foo.com
foo.com返回一个页面,其中包括一些脚本(可能是由于外部资源)。
foo.com returns a page, including some scripts (possibly as external resources).
这些脚本和其原产地设定为foo.com
These scripts run with their origin set to foo.com
脚本试图请求bar.com
The scripts try to request another resource from bar.com
客户端发送请求到BAR.COM与HTTP Origin标设置为foo.com - 这是不是客户端的主机名,但它重新presents下,脚本是从哪里来的。
The client sends a request to bar.com with the HTTP Origin header set to 'foo.com' -- this isn't the client's hostname, but it represents where the scripts came from.
bar.com(如果它支持CORS)应返回与访问控制 - 允许 - 产地标头集合资源(或相关的头)
bar.com (if it supports CORS) should return the resource with an Access-Control-Allow-Origin header set (or a related header)
这几点:
如果客户端不支持CORS,那么就不会发送Origin标都没有。请参见 http://caniuse.com/cors 的浏览器支持列表。
如果第一个请求是不是FOO.COM,但是到了文件:// URL,那么没有产地标头将被发送
If the first request is not to foo.com, but to a file:// url, then no Origin header will be sent.
如果该请求不是文件:// URL,而是来自本地主机,那么原点头的应的设置。有没有在规范它说没有,但我还没有检查,看哪些浏览器实际上做。
If that request is not a file:// url, but instead comes from localhost, then the Origin header should be set. There's nothing in the spec which says not to, but I haven't checked to see what browsers actually do.
有其起源的头不会被发送一些其他情况;浏览器扩展和(我相信)的Chrome应用程序将无法发送。
There are some other situations in which the Origin header will not be sent; browser extensions and (I believe) Chrome apps will not send it.
如果服务器不支持CORS,那么它会忽略标题,浏览器可能会拒绝响应。
If the server does not support CORS, then it will ignore the header, and the browser will probably reject the response.
现在,所有这一切是说,你可以不依赖于任何这一点。 CORS是从根本上反对它运行的脚本,旨在帮助客户端浏览器保护的一个技术本身的。它不是要保护服务器,甚至让服务器知道谁正在访问数据,因为它可以很容易伪造。它之所以存在,是为了给在好的浏览器中运行的好脚本的方式说他们是谁 - 的方式,在同一个好的浏览器中运行的坏剧本不应该是能够模仿
Now, with all of that being said, you can't rely on any of this. CORS is fundamentally a technology designed to help the client browser protect itself against the scripts that it runs. It is not about protecting the server, or even letting the server know who is accessing the data, since it could be very easily faked. The reason it exists is to give "good" scripts running in a "good" browser a way of saying who they are -- a way that "bad" scripts running in the same "good' browser should not be able to impersonate.
这绝对不意味着其实际控制资源的服务器应该依赖于任何类型的安全性的标题。如果被访问的数据是非常重要的,应该有它适当的访问控制(HTTPS,密码和安全的基于Cookie的会话是一个很好的组合)
It absolutely does not mean that the server which actually controls the resource should rely on that header for any sort of security. If the data being accessed is really important, there should be proper access controls on it (https, passwords, and secure cookie-based sessions are a good combination)
相关推荐
最新文章