By responding with Access-Control-Allow-Origin: *, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server's response which would not be the case if you hadn't implemented this CORS response.

通过响应Access-Control-Allow-Origin: *，请求的资源允许与每个源共享。这基本上意味着任何站点都可以向您的站点发送 XHR 请求并访问服务器的响应，如果您没有实现此 CORS 响应，则情况并非如此。

So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.

因此，任何站点都可以代表其访问者向您的站点发出请求并处理其响应。如果您实现了诸如基于浏览器自动提供的内容（cookie、基于 cookie 的会话等）的身份验证或授权方案之类的内容，则第三方站点触发的请求也会使用它们。

This indeed poses a security risk, particularly if you allow resource sharing not just for selected resources but for every resource. In this context you should have a look at When is it safe to enable CORS?.

这确实会带来安全风险，特别是如果您不仅允许为选定资源而且允许为每个资源共享资源。在这种情况下，您应该查看何时启用 CORS 是安全的？.

Access-Control-Allow-Origin: *is totally safe to add to any resource, unlessthat resource contains private data protected by something other than standard credentials (cookies, basic auth, TLS client certificates).

Access-Control-Allow-Origin: *添加到任何资源是完全安全的，除非该资源包含受标准凭据（cookie、基本身份验证、TLS 客户端证书）以外的其他内容保护的私有数据。

Eg: Data protected by cookies is safe

例如：受 cookie 保护的数据是安全的

Imagine https://example.com/users-private-data, which may expose private data depending on the user's logged in state. This state uses a session cookie. It's safeto add Access-Control-Allow-Origin: *to this resource, as this header only allows access to the response if the request is made without cookies, and cookies are required to get the private data. As a result, no private data is leaked.

想象一下https://example.com/users-private-data，这可能会根据用户的登录状态公开私人数据。此状态使用会话 cookie。添加到此资源是安全的Access-Control-Allow-Origin: *，因为此标头仅在没有 cookie 的情况下发出请求时才允许访问响应，并且需要 cookie 来获取私有数据。因此，不会泄露任何私人数据。

Eg: Data protected by location / ip / internal network is not safe (unfortunately common with intranets and home appliances):

例如：位置/ip/内部网络保护的数据是不安全的（不幸的是内网和家用电器常见）：

Imagine https://intranet.example.com/company-private-data, which exposes private company data, but this can only be accessed if you're on the company's wifi network. It's not safeto add Access-Control-Allow-Origin: *to this resource, as it's protected using something other than standard credentials. Otherwise, a bad script could use you as a tunnel to the intranet.

想象一下https://intranet.example.com/company-private-data，它公开了私人公司数据，但只有在您使用公司的 wifi 网络时才能访问这些数据。这是不是安全添加Access-Control-Allow-Origin: *到这个资源，因为它使用比标准凭据以外的东西保护。否则，错误的脚本可能会将您用作通往 Intranet 的隧道。

Rule of thumb

经验法则

Imagine what a user would see if they accessed the resource in an incognito window. If you're happy with everyone seeing this content (including the source code the browser received), it's safe to add Access-Control-Allow-Origin: *.

想象一下，如果用户在隐身窗口中访问资源，他们会看到什么。如果您对每个人都看到此内容（包括浏览器收到的源代码）感到满意，则可以安全地添加Access-Control-Allow-Origin: *.

AFAIK, Access-Control-Allow-Origin is just a http header sent from the server to the browser. Limiting it to a specific address (or disabling it) does not make your site safer for, for example, robots. If robots want to, they can just ignore the header. The regular browsers out there (Explorer, Chrome, etc.) by default honor the header. But an application like Postmansimply ignores it.

AFAIK，Access-Control-Allow-Origin 只是从服务器发送到浏览器的 http 标头。将其限制为特定地址（或禁用它）不会使您的站点更安全，例如机器人。如果机器人愿意，他们可以忽略标题。默认情况下，常规浏览器（Explorer、Chrome 等）会使用标头。但是像Postman这样的应用程序会直接忽略它。

The server end doesn't actually check what the 'origin' is of the request when it returns the response. It just adds the http header. It's the browser (the client end) which sent the request that decides to read the access-control header and act upon it. Note that in the case of XHR it may use a special 'OPTIONS' request to ask for the headers first.

服务器端在返回响应时实际上并不检查请求的“来源”是什么。它只是添加了 http 标头。发送请求的浏览器（客户端）决定读取访问控制标头并对其采取行动。请注意，在 XHR 的情况下，它可能会使用特殊的“OPTIONS”请求来首先请求标头。

So, anyone with creative scripting abilities can easily ignore the whole header, whatever is set in it.

因此，任何具有创造性脚本能力的人都可以轻松忽略整个标题，无论其中设置什么。

See also Possible security issues of setting Access-Control-Allow-Origin.

另请参阅设置 Access-Control-Allow-Origin 可能存在的安全问题。

Now to actually answer the question

现在来实际回答这个问题

I can't help but feel that I'm putting my environment to security risks.

我不禁感到我将我的环境置于安全风险之中。

If anyone wants to attack you, they can easily bypass the Access-Control-Allow-Origin. But by enabling '*' you do give the attacker a few more 'attack vectors' to play with, like, using regular webbrowsers that honor that HTTP header.

如果有人想攻击您，他们可以轻松绕过 Access-Control-Allow-Origin。但是通过启用“*”，您确实为攻击者提供了更多“攻击向量”以供使用，例如使用尊重该 HTTP 标头的常规网络浏览器。

Here are 2 examples posted as comments, when a wildcard is really problematic:

以下是作为评论发布的 2 个示例，当通配符确实有问题时：

Suppose I log into my bank's website. If I go to another page and then go back to my bank, I'm still logged in because of a cookie. Other users on the internet can hit the same URLs at my bank as I do, yet they won't be able to access my account without the cookie. If cross-origin requests are allowed, a malicious website can effectively impersonate the user.

假设我登录了银行的网站。如果我转到另一个页面，然后返回到我的银行，由于 cookie，我仍然处于登录状态。互联网上的其他用户可以像我一样在我的银行访问相同的 URL，但如果没有 cookie，他们将无法访问我的帐户。如果允许跨域请求，恶意网站可以有效地冒充用户。

– Brad

–布拉德

Suppose you have a common home router, such as a Linksys WRT54g or something. Suppose that router allows cross-origin requests. A script on my web page could make HTTP requests to common router IP addresses (like 192.168.1.1) and reconfigure your router to allow attacks. It can even use your router directly as a DDoS node. (Most routers have test pages which allow for pings or simple HTTP server checks. These can be abused en masse.)

假设你有一个普通的家用路由器，比如Linksys WRT54g什么的。假设路由器允许跨域请求。我网页上的脚本可以向常见的路由器 IP 地址（如 192.168.1.1）发出 HTTP 请求，并重新配置您的路由器以允许攻击。它甚至可以将您的路由器直接用作 DDoS 节点。（大多数路由器都有测试页面，允许 ping 或简单的 HTTP 服务器检查。这些可以被大量滥用。）

– Brad

–布拉德

I feel that these comments should have been answers, because they explain the problem with a real life example.

我觉得这些评论应该是答案，因为它们用现实生活中的例子来解释问题。