为什么 Github OAuth 故意拦截 CORS
Posted | stdout
跟AI发闹骚学到的
https://github.com/isaacs/github/issues/330
Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:
And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:
如果允许在浏览器通过 client_id, client_secret 交换得到 access_token,那么实际上你的账号等于公开裸奔,你所有的 github 资产等于公开被人控制。所以必须走一个服务端流程,然后再把 access_token 下发
呃,好像很有道理。
Comments