http://localhost:8000/v1/agents/multivac
```

尽管恶意网站与本地应用的主机不同，浏览器仍不会触发 CORS 预检请求，原因是：

- 请求不涉及任何认证，无需发送凭据。
- 浏览器认为它并未发送 JSON（因为缺少 `Content-Type` 头）。

于是，该恶意网站就可能让本地 AI 代理替用户向前老板发送愤怒消息……甚至更糟。😅

## 开放的互联网 { #open-internet }

如果你的应用部署在开放的互联网，你不会“信任网络”，也不会允许任何人不经认证就发送特权请求。

攻击者完全可以直接运行脚本向你的 API 发送请求，无需借助浏览器交互，因此你很可能已经对任何特权端点做好了安全防护。

在这种情况下，以上攻击/风险不适用于你。

该风险/攻击主要发生在应用运行于本地网络、且“仅依赖网络隔离作为保护”的场景。

 * [CWAC-NetSecurity](https://github.com/commonsguy/cwac-netsecurity): Simplifying Secure Internet Access.
 * [Failsafe](https://failsafe.dev/okhttp/): Fault tolerance and resilience patterns.
 * [Flipper](https://fbflipper.com/): A desktop debugging platform for mobile developers.

```

Examples:

Source (English):

```
<abbr title="Internet of Things">IoT</abbr>
<abbr title="Central Processing Unit">CPU</abbr>
<abbr title="too long; didn't read"><strong>TL;DR:</strong></abbr>
```

Result (German):

```
<abbr title="Internet of Things - Internet der Dinge">IoT</abbr>
<abbr title="Central Processing Unit - Zentrale Verarbeitungseinheit">CPU</abbr>

```

If you are on mac this'll warn you that you downloaded the shared library from
the internet. You'll need to go to settings and allow it to run.

The profiler tells you it'll be more accurate if you install debug symbols

```

即使惡意網站與本機應用的主機不同，瀏覽器也不會觸發 CORS 預檢請求，因為：

- 它在未經任何身分驗證的情況下執行，不需要送出任何憑證。
- 由於缺少 `Content-Type` 標頭，瀏覽器認為它並未傳送 JSON。

接著，惡意網站就能讓本機的 AI 代理替使用者向前老闆發飆傳訊... 或做更糟的事。😅

## 公開的網際網路 { #open-internet }

如果你的應用部署在公開的網際網路上，你不會「信任網路」而允許任何人在未經身分驗證的情況下發送具權限的請求。

攻擊者可以直接執行腳本向你的 API 發送請求，無需透過瀏覽器互動，因此你多半已經對任何具權限的端點做了防護。

在這種情況下，這種攻擊／風險不適用於你。

此風險與攻擊主要與應用只在本機或內部網路上執行，且「僅依賴此為保護」的情境相關。

### [URLs](https://square.github.io/okhttp/5.x/okhttp/okhttp3/-http-url/)

URLs (like `https://github.com/square/okhttp`) are fundamental to HTTP and the Internet. In addition to being a universal, decentralized naming scheme for everything on the web, they also specify how to access web resources.

URLs are abstract:

| append              | no        |
| rename              | no        |

MinIO supports following FTP/SFTP based protocols to access and manage data.

- Secure File Transfer Protocol (SFTP) – Defined by the Internet Engineering Task Force (IETF) as an
  extended version of SSH 2.0, allowing file transfer over SSH and for use with Transport Layer
  Security (TLS) and VPN applications.

    checkPublicSuffix("example.example", "example.example")
    checkPublicSuffix("b.example.example", "example.example")
    checkPublicSuffix("a.b.example.example", "example.example")
    // Listed, but non-Internet, TLD.
    // checkPublicSuffix("local", null);
    // checkPublicSuffix("example.local", null);
    // checkPublicSuffix("b.example.local", null);
    // checkPublicSuffix("a.b.example.local", null);

signs the other party's chain.

Well-Known Certificate Authorities
----------------------------------

In these examples we've prearranged which root certificates to trust. But for regular HTTPS on the
Internet this set of trusted root certificates is usually provided by default by the host platform.
Such a set typically includes many root certificates from well-known certificate authorities like
Entrust and Verisign.

     * (Android vs. Java), by platform release (Android 4.4 vs. Android 9), and with user
     * customizations.
     *
     * Most TLS clients that connect to hosts on the public Internet should call this method.
     * Otherwise it is necessary to manually prepare a comprehensive set of trusted roots.
     *
     * If the host platform is compromised or misconfigured this may contain untrustworthy root