CORS是一件好事.

特别是当我们从基于云的CRM调用的web服务不包含我们的域名时.

但是,它是一种纯合物吗？
我感到有压力让我们的ReST-ish webservices中的所有资源都提供CORS标头.

我很担心CORS可能会在我们的设计中暴露出一个“洞”……而我的直觉是信息隐藏是使编程不会转化为意大利面条代码的原因.

有没有关于何时CORS-ifying你的资源走得太远的文献？ (我没有找到任何,但我可能没有找到正确的地方)

最佳答案 根据WhatWG,使用Access-Control-Allow-Origin：*
is safe so long as your app is not behind a firewall：

Even if a resource exposes additional information based on cookie or HTTP authentication, using the above header will not reveal it. It will share the resource with APIs such as XMLHttpRequest, much like it is already shared with curl and wget.

Thus in other words, if a resource cannot be accessed from a random device connected to the web using curl and wget the aforementioned header is not to be included. If it can be accessed however, it is perfectly fine to do so.

我的理解是除非在设置了withCredentials标志的情况下发出请求,否则不发送auth / cookies,并且如果设置了withCredentials标志,则不允许通配该资源.

换句话说,如果Access-Control-Allow-Origin没有将发送域列入白名单,则永远不会提供身份验证凭据.