CORS-enabled server not denying requests

前端 未结 2 1296
无人共我
无人共我 2020-11-28 16:45

I am trying to use express Cors with my resitfy server and it doesn\'t seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a

相关标签:
2条回答
  • 2020-11-28 16:54

    CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration.

    The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

    Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

    So no matter what server-side CORS configuration you make to a server, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

    But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

    That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

    0 讨论(0)
  • 2020-11-28 17:14

    CORS does not prevent anyone from sending GET or POST requests to your application or exposed API URL.

    Instead, it indicates to the web browser that AJAX requests are allowed to this server, from the domain they are executed.

    But only AJAX requests executed from a domain are CORS-controlled. Entering the URL in the web browser will not activate CORS: it is not a firewall.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

    The order of event is:

    1. Domain A executes AJAX on User's browser to request API URL on Domain B

    2. User's browser sends a basic primary request to target Domain B and checks if CORS are allowed for Domain A

    3. If allowed, AJAX request is executed otherwise null is returned

    0 讨论(0)
提交回复
热议问题