問題描述
我并沒有真正了解 Access-Control-Allow-Origin 和 CORS.
如果我允許來自任何域的請求到我的頁面,這是否意味著我的頁面存在任何安全問題?
I don't really get Access-Control-Allow-Origin and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?
我一直認為,SOP 確保不能在頁面上運行任何腳本,該腳本從另一臺服務器請求數據,因為該數據可能是惡意的.但是,服務于惡意數據的服務器可以只回復包含 Access-Control-Allow-Origin:* 的標頭,因此可以從該服務器加載所有內容.
因此,一旦有人設法將一段 JS 代碼注入頁面,每個惡意代碼都可以從屬于攻擊者的服務器加載.
I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.
Unitl 現在我假設我必須啟用跨域請求以允許我的頁面上的代碼從另一個域請求數據,但它似乎是相反的;另一個域必須允許我的域請求數據.我并沒有真正看到這個概念的安全優勢.
任何人都可以解釋這背后的概念或告訴我我是否完全錯了?
Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data.
I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?
推薦答案
鑒于:
- Alice,一個使用瀏覽器的用戶
- Bob,擁有網站的網站所有者
- Mallory,一個擁有網站的惡意網站所有者
Alice 在 Bob 的服務器上有一個帳戶.也許是她的網絡郵件.也許是她的網上銀行.也許這是她喜歡購物的地方.
Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.
Alice 訪問 Mallory 的網站,卻不知道它是邪惡的.
Alice visits Mallory's website, not knowing that it is evil.
同源政策阻止 Mallory 的網站使用 JavaScript 告訴 Alice 的瀏覽器向 Bob 的網站發出請求,并將 Alice 的個人信息(例如她的銀行余額)提供給 Mallory 的網站(因此也提供給 Mallory).
The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).
(有時請求會被阻止,因為條件需要飛行前請求,其他時候請求會通過,但不會將響應提供給 Mallory 的站點.如果您想防御攻擊,請查找 CSRF危險在于服務器在收到請求時所做的事情,而不是響應中泄漏的信息).
(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).
CORS 允許 Bob 說他網站上的資源不包含任何個人信息,因此允許其他網站訪問它是安全的(或者可以信任特定網站的個人信息).
CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).
所以一旦有人設法將一段 JS 代碼注入到頁面中,
So as soon as somebody manages to inject a piece of JS code into a page,
XSS 是一個完全不同的安全問題.你需要防止人們注入 JS.
XSS is a completely different security problem. You need to prevent people injecting JS.
這篇關于Access-Control-Allow-Origin 和 CORS 背后的概念是什么?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!