问题
Why do I need to set Access-Control-Allow-Origin to * for an MP3 file so that it can be loaded by websites of other domains? What's the security risk with this?
Or is it just to prevent other's from display content that you didn't authorize them to (assuming browsers support CORS)?
回答1:
Most video players are initialized using JS in script tags, and video is fetch through a XMLHttpRequest.
According to the docs:
For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request HTTP resources from the same domain the application was loaded from unless CORS headers are used.
So for security and to prevent data breach, CORS headers are required.
来源:https://stackoverflow.com/questions/47950470/why-are-audio-files-mp3-blocked-by-cors-whats-the-security-risk