但是这对我来说真的没有意义.我认为 CORS 旨在让 foo.com 决定允许 X 与谁通信.

However this really doesn't make sense to me. I thought CORS was designed to enable foo.com to dictate who X is allowed to communicate with.

不，这是关于 bar.com 控制其内容的使用.

No, it's about bar.com controlling use of its content.

但是 CORS 是由浏览器强制执行的，您所要做的就是让 evil.com 成为向 bar.com 发送伪造的原始请求的代理...

But CORS is enforced by the browser, all you'd have to do is make evil.com a proxy that sends faked origin requests to bar.com...

是的.如果你这样做了，并且 bar.com 上的人注意到并关心，他们会拒绝来自你服务器的请求.你移动它，他们不允许新的.打地鼠时间.但是，尽管打地鼠游戏很痛苦，但比起直接来自 foo.com 的每个用户个人的请求，来自他们的桌面，它的痛苦要小得多.

Yup. And if you do, and the people at bar.com notice and care, they disallow requests from your server. You move it, they disallow the new one. Whack-a-mole time. But painful as that game of whack-a-mole is, it's a lot less painful than if the requests come directly from each individual user of foo.com, from their desktop.

让 foo.com 强制执行 foo.com 可以做的事情没有任何意义.foo.com 已经强制执行 foo.com 可以做的事情，因为 foo.com 为 foo.com 的内容和脚本提供服务.

Having foo.com enforce what foo.com can do doesn't make any sense. foo.com already enforces what foo.com can do, because it's foo.com that serves foo.com's content and scripts.