* [fess_label_en.properties](https://github.com/codelibs/fess/blob/master/src/main/resources/fess_label_en.properties)
* [fess_message_en.properties](https://github.com/codelibs/fess/blob/master/src/main/resources/fess_message_en.properties)

 [AccessHeadersJava]: https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/AccessHeaders.java
 [AccessHeadersKotlin]: https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/kt/AccessHeaders.kt

      [`Cast.cast`](https://github.com/gradle/gradle/blob/674b8430b024f03cae24f1e4dd6dbaa78b557dae/platforms/core-runtime/stdlib-java-extensions/src/main/java/org/gradle/internal/Cast.java#L37)
      and
      [`Cast.castNullable`](https://github.com/gradle/gradle/blob/674b8430b024f03cae24f1e4dd6dbaa78b557dae/platforms/core-runtime/stdlib-java-extensions/src/main/java/org/gradle/internal/Cast.java#L62).

      }
    ```

 [CustomTrustJava]: https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java
 [CustomTrustKotlin]: https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/kt/CustomTrust.kt
 [CertificatePinningJava]: https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CertificatePinning.java

  private static final HashFunction SIP_WITHOUT_KEY = sipHash24();

  // These constants were originally ported from https://www.131002.net/siphash/siphash24.c. See:
  // https://github.com/nahi/siphash-java-inline/blob/master/src/test/java/org/jruby/util/SipHashInlineTest.java
  private static final long[] EXPECTED =
      new long[] {
        0x726fdb47dd0e0e31L,
        0x74f839c593dc67fdL,
        0x0d6c8009d9a94f5aL,

  private static final HashFunction SIP_WITHOUT_KEY = sipHash24();

  // These constants were originally ported from https://www.131002.net/siphash/siphash24.c. See:
  // https://github.com/nahi/siphash-java-inline/blob/master/src/test/java/org/jruby/util/SipHashInlineTest.java
  private static final long[] EXPECTED =
      new long[] {
        0x726fdb47dd0e0e31L,
        0x74f839c593dc67fdL,
        0x0d6c8009d9a94f5aL,

## CSRF 风险 { #csrf-risk }

此默认行为在一个非常特定的场景下，可防御一类跨站请求伪造（CSRF）攻击。

这类攻击利用了浏览器的一个事实：当请求满足以下条件时，浏览器允许脚本在不进行任何 CORS 预检的情况下直接发送请求：

- 没有 `Content-Type` 头（例如使用 `fetch()` 携带 `Blob` 作为 body）
- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行
- 且应用没有任何认证，假定来自同一网络的请求都可信。

## 攻击示例 { #example-attack }

假设你构建了一个本地运行的 AI 代理。

它提供了一个 API，地址为

```

## Contribute to MinIO Project

Please follow MinIO [Contributor's Guide](https://github.com/minio/minio/blob/master/CONTRIBUTING.md) for guidance on making new contributions to the repository.

## License

- MinIO source is licensed under the [GNU AGPLv3](https://github.com/minio/minio/blob/master/LICENSE).

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)
* and don't send any authentication credentials.

This type of attack is mainly relevant when:

* the application is running locally (e.g. on `localhost`) or in an internal network

on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '45 9 * * 0'
  push:
    branches: [ "master" ]