CORS-enabled server not denying requests

大兔子大兔子 提交于 2019-12-17 21:06:24

问题


I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

Here is my route:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin →http://172.16.12.123


回答1:


CORS configuration on its own isn’t going to cause a server to deny requests from any IPs. You can’t do that just through CORS configuration.

The only thing a server does differently when you configure it with CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

Actual enforcement of CORS restrictions is done only by browsers, not by servers.

So no matter what server-side CORS configuration you make on, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

That’s the only thing you can do using CORS configuration. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.




回答2:


CORS does not prevent anyone from sending GET or POST requests to your application or exposed API URL.

Instead, it indicates to the web browser that AJAX requests are allowed to this server, from the domain they are executed.

But only AJAX requests executed from a domain are CORS-controlled. Entering the URL in the web browser will not activate CORS: it is not a firewall.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The order of event is:

  1. Domain A executes AJAX on User's browser to request API URL on Domain B

  2. User's browser sends a basic primary request to target Domain B and checks if CORS are allowed for Domain A

  3. If allowed, AJAX request is executed otherwise null is returned



来源:https://stackoverflow.com/questions/45069689/cors-enabled-server-not-denying-requests

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!