javascript - CORS 服务器端与客户端？为什么一个有效，而另一个却无效？

Question

我不确定我是否理解这一点。我可以编写一个简单的服务器端代码来抓取任何网站的 HTML 内容。在我的本地 PC 或任何主机上运行它，并从任何网站检索任何页面。但这不能通过 javaScript 完成吗？

远程主机怎么可能知道发出请求的是哪种类型的应用程序？出于安全目的不允许跨源请求？我为什么可以使用服务器端代码发出完全相同的请求？并在本地或远程任何地方运行此代码？下面是一个简单的示例，可以从 Weather 站点获取 HTML 页面内容，效果很好。但我不能在 JavaScript 代码中执行此操作？没有意义。

public static class WeatherManager
{
    private static HtmlDocument document = new HtmlDocument();

    public static MyWeather GetWeather()
    {
        try
        {
            var web = new HtmlWeb();
            document = web.Load("http://www.weatheroffice.gc.ca/city/pages/on-143_metric_e.html");
        }
        catch (Exception ex)
        {
            throw new Exception("Weather is not loaded");
        }

        var mainContent = document.DocumentNode.SelectSingleNode("//*[@id='mainContent']");
        var nownode = mainContent.SelectSingleNode("//section[1]/details/div/div");
        var forecastnodes = mainContent.SelectNodes("//section[2]/details/table[1]/tr[2]/td");

        // Do some processing....
    }
}

但是当我尝试从 Angular(或任何我认为的 JS 库)发出类似的请求时

getWeatherForecast() {
    const url = 'https://weather.gc.ca/city/pages/on-143_metric_e.html';
    return this.$http.get(url);
}

我得到了这样的东西

我知道... CORS 好吧，但如果它是出于安全目的，我怎么能以我喜欢的方式发出这些 CORS 请求，例如上面的服务器端代码？

Answer 1

But this couldn't be done via javaScript?

是的，可以——只是不能在浏览器上。您可以在 Node 中或在 JVM 中(因为 JVM 通过 javax.script 支持 JavaScript)或在 Windows 上的 Metro 应用程序等中使用 JavaScript 发出请求。

How is that possible for remote host to know what sort of application is making a request?

事实并非如此。 浏览器强制执行同源策略，而不是服务器。

How come I can make the exact same request using the server-side code?

...

...but if its done for security purpose, how come I can make these CORS requests anyway I like, for example as server-side code above?

因为您的服务器端代码无法访问潜在 secret 的客户端信息。来自 the Wikipedia article on the SOP :

The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.

The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.