为什么 Github OAuth 故意拦截 CORS

跟AI发闹骚学到的

https://github.com/isaacs/github/issues/330

Allowing CORS for the endpoint you mentioned would mean that you could complete this step of the Web flow from a browser:
And this would mean that you're hard-coding your client_id and client_secret into a webpage (or JS file loaded into that webpage) for everyone to see. This would indeed cause security concerns since the client_secret should be kept secret. If someone got hold of your client_id and client_secret, they could impersonate you application, and for example -- wipe all the tokens for that application:

如果允许在浏览器通过 client_id, client_secret 交换得到 access_token,那么实际上你的账号等于公开裸奔,你所有的 github 资产等于公开被人控制。所以必须走一个服务端流程,然后再把 access_token 下发

呃,好像很有道理。

Comments