A Spec of Cross-Origin Resource Sharing (CORS)

最新推荐文章于 2025-01-06 15:25:27 发布

修行の米粒

最新推荐文章于 2025-01-06 15:25:27 发布

阅读量162

点赞数

CC 4.0 BY-SA版权

分类专栏：每日一篇Web开发英文文档

本文链接：https://blog.youkuaiyun.com/weixin_41709624/article/details/109459108

每日一篇Web开发英文文档专栏收录该内容

3 篇文章

订阅专栏

本文详细介绍了跨源资源共享（CORS）机制，解释了浏览器如何通过额外的HTTP头允许一个来源的应用访问另一个来源的资源。CORS支持安全的跨域请求及数据传输，并说明了现代浏览器如何使用CORS来缓解跨域HTTP请求的风险。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Source:
（1）Cross-Origin Resource Sharing (CORS) (Must Read)
（2）github.com/rs/cors（Suggest to read source code）

Digest:
Cross-Origin Resources Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own.
For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that let servers describe which origins are permitted to read that information from a web browser. Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than GET, or POST with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with the HTTP OPTIONS request method, and then upon "approval" from the server, sending the actual request. Servers can also inform clients whether "credentials" (such as Cookies and HTTP Authentication) should be sent with requests.
CORS failures result in errors, but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.