As I learned from this post, when page from www.a.commakes AJAX request to www.b.com, then it's the www.b.comthat decides if request should be allowed or not.

正如我从这篇文章中了解到的，当页面 from 向www.a.com发出 AJAX 请求时www.b.com，www.b.com决定是否应该允许请求。

Not quite. The request isn't blocked.

不完全的。请求没有被阻止。

By default the JavaScript running on www.a.comis forbidden access to the response from www.b.com.

默认情况下，运行的 JavaScriptwww.a.com被禁止访问来自www.b.com.

CORS allows www.b.comto give permission to the JavaScript from www.a.comto access the response.

CORS 允许www.b.com授予 JavaScriptwww.a.com访问响应的权限。

But what is exactly secured on client in such model?

但是在这样的模型中，客户端究竟保护了什么？

It stops the author of www.a.comfrom reading data from www.b.comusing the browser of A User who has visited both sites and has been authenticated on www.b.com(and thus has access to data that isn't public).

它阻止作者使用访问过两个站点并已通过身份验证（因此可以访问非公开数据）的用户的浏览器www.a.com读取数据。www.b.comwww.b.com

For example, Alice is logged into Google. Alice visits malicious.examplewhich uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.examplefrom reading it.

例如，Alice 登录了 Google。Alice 访问malicious.example它使用 XMLHttpRequest 从 访问数据gmail.com。爱丽丝有一个 GMail 帐户，因此回复在她的收件箱中包含最近的电子邮件列表。同源策略阻止malicious.example读取它。

For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

例如，黑客成功将 XSS 脚本注入我的页面，然后向他的域发出 AJAX 请求以存储用户数据。所以黑客域肯定会允许这样的请求。

Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.comand not in the browser).

正确的。XSS 是一个不同的安全问题，需要在源头（即在www.a.com浏览器中而不是在浏览器中）解决。

In addition to @Quentin's excellent answer, there is another technology known as Content Security Policywhich describes what you are after.

除了@Quentin 的出色回答之外，还有另一种称为内容安全策略的技术，它描述了您所追求的内容。

I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.

我认为 www.a.com 应该决定允许请求的域。因此，理论上在标题 Access-Control-Allow-Origin 中，我想放置允许 AJAX CORS 请求的域的整个列表。

With CSP, you could set a header from your domain (www.a.comin your example) to restrict AJAX requests:

使用 CSP，您可以设置域中的标头（www.a.com在您的示例中）以限制 AJAX 请求：

connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource).

connect-src 限制您可以连接的来源（通过 XHR、WebSockets 和 EventSource）。

So to use this you can add this Content-Security-PolicyHTTP header to your HTML response:

因此，要使用它，您可以将此Content-Security-PolicyHTTP 标头添加到您的 HTML 响应中：

Content-Security-Policy: connect-src 'self'

This will restrict AJAX requests to www.a.comif that header is in the response from www.a.com:

这会将 AJAX 请求限制www.a.com为该标头是否在来自www.a.com以下内容的响应中：

'self' matches the current origin, but not its subdomains

'self' 匹配当前来源，但不匹配其子域

See herefor supported browsers.

有关支持的浏览器，请参见此处。