问题
(and if not, does it actually improve client side security?)
I'm thinking of the case where a script from server X uses XHR to obtain and run untrusted code from server Y (which supports CORS).
(obviously evaluating untrusted code is bad™)
回答1:
I do not use CORS to improve security at all. I use CORS to access a known webservice on a different domain which I would not be allowed to access without CORS. Nothing to do with improving security in my opinion, but to allow data from one domain to be entrusted to another.
回答2:
CORS isn't about hardening security, it's about weakening it (but only under certain conditions with permission from the server).
If you want to access something from another server in an AJAX request, without CORS, you aren't allowed due to "security" (same origin policy), and that is the end of it*. With CORS, the other server can give permission to reduce that security barrier.
* Except for hacks like JSONP, but that also requires permission from the server
回答3:
CORS subverts the same-origin policy, but selectively so. For example a bank website domain would not set a CORS header at all (to keep same-origin in full effect) as no JavaScript downloaded from other domains should be making AJAX requests to the bank (or maybe they allow just a partner site they trust). A CDN would probably set Access-Control-Allow-Origin "*" as it doesn't care if JavaScript downloaded from another domain is making AJAX requests to the CDN.
来源:https://stackoverflow.com/questions/6240212/with-respect-to-client-side-security-does-cors-do-anything-other-than-subvert-s