极客观点
项目管理
HarmonyOS
CORS 信任任意来源漏洞 2.5.1的版本是没修复吗?还是需要具体添加什么配置呢?
我添加了如下的配置,一直不生效
nacos.allow.origin=http://10.2.41.80:8848
nacos.core.auth.enabled=true复现的流程如下
请求地址为 http://10.2.41.80:8848/nacos/
请求Header
{
'field': 'Access-Control-Allow-Origin',
'value': 'http://10.2.41.80.znwe.com:8848'
}响应为
HTTP/1.1 200
Content-Length: 2780
Accept-Ranges: bytes
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.2.41.80.znwe.com:8848
Content-Language: en-US
Content-Security-Policy: script-src 'self'
Content-Type: text/html;charset=UTF-8
Date: Thu, 09 Oct 2025 06:54:21 GMT
Last-Modified: Tue, 11 Mar 2025 05:35:03 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers<!--
~ Copyright 1999-2018 Alibaba Group Holding Ltd.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<title>Nacos</title>
<link rel="shortcut icon" href="console-ui/public/img/nacos-logo.png" type="image/x-icon">
<link rel="stylesheet" type="text/css" href="console-ui/public/css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="console-ui/public/css/console1412.css">
<!-- 第三方css开始 -->
<link rel="stylesheet" type="text/css" href="console-ui/public/css/codemirror.css">
<link rel="stylesheet" type="text/css" href="console-ui/public/css/merge.css">
<link rel="stylesheet" type="text/css" href="console-ui/public/css/icon.css">
<link rel="stylesheet" type="text/css" href="console-ui/public/css/font-awesome.css">
<!-- 第三方css结束 -->
<link href="./css/main.css?14a4b9dd6e3788d1f3d9" rel="stylesheet"></head>
<body>
<div id="root" style="overflow:hidden"></div>
<div id="app"></div>
<div id="other"></div>
<!-- 第三方js开始 -->
<script src="console-ui/public/js/jquery.js"></script>
<script src="console-ui/public/js/codemirror.js"></script>
<script src="console-ui/public/js/javascript.js"></script>
<script src="console-ui/public/js/xml.js"></script>
<script src="console-ui/public/js/codemirror.addone.fullscreen.js"></script>
<script src="console-ui/public/js/codemirror.addone.lint.js"></script>
<script src="console-ui/public/js/codemirror.lib.json-lint.js"></script>
<script src="console-ui/public/js/codemirror.addone.json-lint.js"></script>
<script src="console-ui/public/js/codemirror.lib.clike-lint.js"></script>
<script src="console-ui/public/js/diff_match_patch.js"></script>
<script src="console-ui/public/js/merge.js"></script>
<script src="console-ui/public/js/loader.js"></script>
<!-- 第三方js结束 -->
<script type="text/javascript" src="./js/main.js?14a4b9dd6e3788d1f3d9"></script></body>
</html>期望得到的结果应该是该请求被拒绝掉,不应该有正常的响应。
which frame