{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 【Aperson】 的问题《CORS - What does it protect?》','https://www.manongdao.com/q-895788.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and I wonder what or who that should protect. If you start Chrome for example in a mode without security restrictions it calls all the APIs on the other domain without preflight and whatsoever. This means a naughty guy can get around this very easily. I don't see how this should protect the owner of a server application, the owner of such an application can have an authentication to protect its site. So what is the scenario who gets protected?
相关问题
- Angular RxJS mergeMap types
- Google Apps Script: testing doPost() with cURL
- How to instantiate Http service in main.ts manuall
- firebase storage cors strange Behaviour
- C#使用http访问网络,有办法用指定网卡访问网络嘛?
相关文章
- C#使用http访问网络,有办法用指定网卡访问网络嘛?
- Is a unicode user agent legal inside an HTTP heade
- git: retry if http request failed
- Security concerns about CORS
- Flutter - http.get fails on macos build target: Co
- Configure Spring for CORS
- C# HttpClient.SendAsync always returns 404 but URL
- subdomain CORS in webApi 2
It's not the owner of the service that gets protected, it's the user.
If you as a user are logged into application A, without CORS protection, application B can make requests on behalf of the user on application A.
This is extremely dangerous for the user and their data.