“Cross-origin resource sharing”的意思、由来-开放百科全书

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.^[1] A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.^[1] Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy.

CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request.^[2] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS was originally published as a W3C Recommendation^[3] but that document is obsolete.^[4] The current actively-maintained specification that defines CORS is WHATWG's Fetch Living Standard.^[5]

How CORS works

The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission. Although some validation and authorization can be performed by the server, it is generally the browser's responsibility to support these headers and honor the restrictions they impose.

For Ajax and HTTP request methods that can modify data (usually HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.^[6]

Simple example

Suppose a user visits http://www.example.com and the page attempts a cross-origin request to fetch the user's data from http://service.example.com. A CORS-compatible browser will attempt to make a cross-origin request to service.example.com as follows.

A wildcard same-origin policy is appropriate when a page or API response is considered completely public content and it is intended to be accessible to everyone, including any code on any site. For example, a freely-available web font on a public hosting service like Google Fonts.

A wildcard same-origin policy is also widely and appropriately used in the object-capability model, where pages have unguessable URLs and are meant to be accessible to anyone who knows the secret.

The value of "*" is special in that it does not allow requests to supply credentials, meaning it does not allow HTTP authentication, client-side SSL certificates, or cookies to be sent in the cross-domain request.^[7]

Note that in the CORS architecture, the ACAO header is being set by the external web service (service.example.com), not the original web application server (www.example.com). Here, service.example.com uses CORS to permit the browser to authorize www.example.com to make requests to service.example.com.

Preflight example

When performing certain types of cross-domain Ajax requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action.

If service.example.com is willing to accept the action, it may respond with the following headers:

Headers

Request headers

Response headers

Browser support

History

Cross-origin support was originally proposed by Matt Oshry, Brad Porter, and Michael Bodell of Tellme Networks in March 2004 for inclusion in VoiceXML 2.1^[18] to allow safe cross-origin data requests by VoiceXML browsers. The mechanism was deemed general in nature and not specific to VoiceXML and was subsequently separated into an implementation NOTE.^[19] The WebApps Working Group of the W3C with participation from the major browser vendors began to formalize the NOTE into a W3C Working Draft on track toward formal W3C Recommendation status.

In May 2006 the first W3C Working Draft was submitted.^[20] In March 2009 the draft was renamed to "Cross-Origin Resource Sharing"^[21] and in January 2014 it was accepted as a W3C Recommendation.^[22]

CORS vs JSONP

CORS can be used as a modern alternative to the JSONP pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests. Using CORS enables a web programmer to use regular XMLHttpRequest, which supports better error handling than JSONP. On the other hand, JSONP works on legacy browsers which predate CORS support. CORS is supported by most modern web browsers. Also, while JSONP can cause cross-site scripting (XSS) issues when the external site is compromised, CORS allows websites to manually parse responses to ensure security.^[2]^[23]

See also

References

1. ^{{cite web|url=https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access |title=Same-origin policy / Cross-origin network access|publisher=MDN}}
2. ^¹{{cite web|url=http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/ |title=Cross-domain Ajax with Cross-Origin Resource Sharing |publisher=NCZOnline |date= |accessdate=2012-07-05}}
3. ^{{cite web|url=http://www.w3.org/TR/cors/|title=Cross-Origin Resource Sharing|publisher=}}
4. ^{{cite web|url=https://www.w3.org/2017/08/16-webappsec-minutes.html#item03|title=WebAppSec Working Group Minutes|publisher=}}
5. ^{{cite web|url=https://fetch.spec.whatwg.org/|title=Fetch Living Standard|publisher=}}
6. ^{{cite web|url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS |publisher=MOZILLA |date= |accessdate=2012-09-05}}
7. ^Cross-Origin Resource Sharing. W3.org. Retrieved on 2014-04-12.
8. ^¹{{cite web |title=Blink | date=April 2013 |publisher=QuirksBlog |url=http://www.quirksmode.org/blog/archives/2013/04/blink.html |accessdate=4 April 2013}}
9. ^{{cite news |title=Google going its own way, forking WebKit rendering engine |publisher=Ars Technica | date=April 2013 |url= https://arstechnica.com/information-technology/2013/04/google-going-its-own-way-forking-webkit-rendering-engine/ |accessdate=4 April 2013}}
10. ^{{cite web|url=https://developer.mozilla.org/En/HTTP_access_control |title=HTTP access control (CORS) - MDN |publisher=Developer.mozilla.org |date= |accessdate=2012-07-05}}
11. ^{{cite web|url=https://developer.mozilla.org/en/Gecko |title=Gecko - MDN |publisher=Developer.mozilla.org |date=2012-06-08 |accessdate=2012-07-05}}
12. ^{{cite web|author1=Tony Ross |author2=Program Manager |author3=Internet Explorer |url=http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx |title=CORS for XHR in IE10 |publisher=MSDN |date=2012-02-09 |accessdate=2012-12-14}}
13. ^{{cite web|author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/changelogs/unix/1200/ |title=12.00 for UNIX Changelog |publisher=Opera |date=2012-06-14 |accessdate=2012-07-05}}
14. ^{{cite web|author=David Honneffer, Documentation Specialist |url=http://www.opera.com/docs/specs/presto2.10/#m210-236 |title=Opera Software: Web specifications support in Opera Presto 2.10 |publisher=Opera.com |date=2012-04-23 |accessdate=2012-07-05}}
15. ^¹²{{cite web|author=on July 6, 2009 by Arun Ranganathan |url=https://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/ |title=cross-site xmlhttprequest with CORS ✩ Mozilla Hacks – the Web developer blog |publisher=Hacks.mozilla.org |date=2009-07-06 |accessdate=2012-07-05}}
16. ^{{cite web|url=http://osvdb.org/59940 |title=59940: Apple Safari WebKit Cross-Origin Resource Sharing Bypass |publisher=Osvdb.org |date= |accessdate=2012-07-05}}
17. ^ {{cite web|title=Microsoft Edge deverloper's guide|url=https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/performance/xmlhttprequest/}}
18. ^{{cite web|url=http://www.w3.org/TR/2004/WD-voicexml21-20040323/ |title=Voice Extensible Markup Language (VoiceXML) 2.1 |publisher=W3.org |date=2004-03-23 |accessdate=2012-07-05}}
19. ^{{cite web|url=http://www.w3.org/TR/2005/NOTE-access-control-20050613/ |title=Authorizing Read Access to XML Content Using the Processing Instruction 1.0 |publisher=W3.org |date= |accessdate=2012-07-05}}
20. ^{{cite web|title=Authorizing Read Access to XML Content Using the Processing Instruction 1.0 W3C - Working Draft 17 May 2006|url=http://www.w3.org/TR/2006/WD-access-control-20060517/|publisher=W3.org|accessdate=17 August 2015}}
21. ^{{cite web|title=Cross-Origin Resource Sharing - W3C Working Draft 17 March 2009|url=http://www.w3.org/TR/2009/WD-cors-20090317/|publisher=W3.org|accessdate=17 August 2015}}
22. ^{{cite web|title=Cross-Origin Resource Sharing - W3C Recommendation 16 January 2014|url=http://www.w3.org/TR/2014/REC-cors-20140116/|publisher=W3.org|accessdate=17 August 2015}}
23. ^{{cite web|url=http://caniuse.com/#feat=cors |title=When can I use... Cross Origin Resource Sharing |publisher=caniuse.com |date= |accessdate=2012-07-12}}