问题
I keep fighting with strange limitations when developing for the web. One of them is the same-origin limitation for AJAX requests and I'm asking myself if instead of blocking requests to cross-domain resources wouldn't have been simpler to just discard cookies when making them (to avoid misuse of authentication credentials of the browser session).
Cookies are a facility but quite not essential (for example you can generate pages with cookies in the request URLs if you need to keep context), while instead cross-domain blocking is quite annoying to circumvent.
There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.
I'm wondering if there's some real technical reason for which same origin policy is really the best solution.
Note that I'm asking just out of curiosity... I'm perfectly aware that in the web age horrible solutions can get crystallized in standards before experience is given the possibility to show if they are good or bad (quite a big part of Javascript, for example).
回答1:
You're assuming that all authentication credentials are cookie-based, which isn't true. The browser might authenticate to another site using PKI certificates, or the site might trust the client just because it has a certain IP address on a trusted network. That's not something the client can just turn off for an individual request.
However, there's work being done on standardizing a way for sites to allow cross-origin requests to their resources. If a site knows that some of its content is public and no clients have special privileges, it can set an HTTP header to tell browsers that scripts loaded from other sites are allowed to see that content.
There is also something that seems to me VERY strange from a logical point of view in blocking a specific subject to access a resource that literally everyone else in the whole world can access without authentication.
The browser doesn't know that the whole world can access the resource without authentication. It doesn't know whether it sees the same content as other clients when accessing a given URL. What it's blocking is access to its own, potentially unique, view of the remote resource.
来源:https://stackoverflow.com/questions/13110764/wouldnt-have-been-simpler-to-just-discard-cookies-for-cross-domain-xhr