为什么禁止没有凭据的 CORS?

我试图理解为什么不允许没有凭据的跨域请求(默认情况下,没有设置服务器来返回 Access-Control-Allow-Origin 标头).当请求具有凭据时,一切都非常简单 - 如果您已登录,则可以代表您在其他网站上执行一些恶意操作,例如在 Facebook 上.

I'm trying to understand why cross-domain requests without credentials are not allowed (by default, without setting up a server to return the Access-Control-Allow-Origin header). When a request has credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on Facebook, if you have logged in on it.

例如请求

xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.google.com');
xhr.send();

产生错误(我从这个站点在 Chrome 的控制台中执行它):

produces the error (I executed it in Chrome's console from this site):

XMLHttpRequest 无法加载 http://www.google.com/.不请求中存在Access-Control-Allow-Origin"标头资源.因此,来源 'http://stackoverflow.com' 是不允许的访问.

XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.

因此,服务器必须发送适当的标头(例如 Access-Control-Allow-Origin: * )才能使该请求起作用.

So, the server must send an appropriate header (e.g Access-Control-Allow-Origin: * ) to this request can work.

这只是一个简单的请求,不会发送任何 cookie.这种限制的原因是什么?如果允许此类 CORS,可能会出现哪些安全问题?

This is just a simple request and no cookies are sent. What's the reason for such a restriction? What security issues might take place if such CORS will be allowed?

没有凭据 - 没有 cookie:XMLHTTPRequest 的默认设置是 withCredentials = false,因此请求中不会发送任何 cookie - 链接.

without credentials - without cookies: default settings for XMLHTTPRequest is withCredentials = false, so no cookies are sent in the request - link.

推荐答案

我会继续从 Security.SE 的 为什么需要 Access-Control-Allow-Origin 标头?

I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?

这里主要关注的是基于网络拓扑的访问控制.假设您在家庭网络上运行 HTTP 服务(事实上,如果您的路由器本身具有 Web 界面,您几乎肯定会这样做).我们将此服务称为 R,只有连接到家庭路由器的机器才能访问该服务.

The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R, and the only machines connected to your home router can get to the service.

当您的浏览器访问 evil.example.com 时,该站点会为您的浏览器提供一个脚本,告诉它获取 R 的内容并将其发送回 evil.example.com.即使没有凭据,这也可能很糟糕,因为它违反了本地网络之外的任何人都无法查看本地网络内运行的服务的假设.同源策略阻止了这种情况的发生.如果同源策略仅在涉及凭据时发挥作用,则可能会绕过基于拓扑的保护.

When your browser visits evil.example.com, that site serves your browser a script, telling it to fetch the contents of R and send it back to evil.example.com. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.

还要考虑一些公共服务允许基于 IP 地址的访问:

Consider also that some public services allow access based on IP address:

  • 牛津英语词典将其在线条目的访问权限限制为来自订阅大学的 IP 地址
  • 英国将 BBC 内容的访问权限限制在国内的 IP 地址内

在此处列出的所有情况下,浏览器都可能被用作任何为其提供脚本的网站的不知情代理.

In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.

相关文章