Access-Control-Allow-Origin 和 CORS 背后的概念是什么?
我并没有真正了解 Access-Control-Allow-Origin
和 CORS.
如果我允许来自任何域的请求到我的页面,这是否意味着我的页面存在任何安全问题?
I don't really get Access-Control-Allow-Origin
and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?
我一直认为,SOP 确保不能在页面上运行任何脚本,该脚本从另一台服务器请求数据,因为该数据可能是恶意的.但是,服务于恶意数据的服务器可以只回复包含 Access-Control-Allow-Origin:*
的标头,因此可以从该服务器加载所有内容.
因此,一旦有人设法将一段 JS 代码注入页面,每个恶意代码都可以从属于攻击者的服务器加载.
I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*
, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.
Unitl 现在我假设我必须启用跨域请求以允许我的页面上的代码从另一个域请求数据,但它似乎是相反的;另一个域必须允许我的域请求数据.我并没有真正看到这个概念的安全优势.
任何人都可以解释这背后的概念或告诉我我是否完全错了?
Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data.
I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?
推荐答案
鉴于:
- Alice,一个使用浏览器的用户
- Bob,拥有网站的网站所有者
- Mallory,一个拥有网站的恶意网站所有者
Alice 在 Bob 的服务器上有一个帐户.也许是她的网络邮件.也许是她的网上银行.也许这是她喜欢购物的地方.
Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.
Alice 访问 Mallory 的网站,却不知道它是邪恶的.
Alice visits Mallory's website, not knowing that it is evil.
同源政策阻止 Mallory 的网站使用 JavaScript 告诉 Alice 的浏览器向 Bob 的网站发出请求,并将 Alice 的个人信息(例如她的银行余额)提供给 Mallory 的网站(因此也提供给 Mallory).
The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).
(有时请求会被阻止,因为条件需要飞行前请求,其他时候请求会通过,但不会将响应提供给 Mallory 的站点.如果您想防御攻击,请查找 CSRF危险在于服务器在收到请求时所做的事情,而不是响应中泄漏的信息).
(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).
CORS 允许 Bob 说他网站上的资源不包含任何个人信息,因此允许其他网站访问它是安全的(或者可以信任特定网站的个人信息).
CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).
所以一旦有人设法将一段 JS 代码注入到页面中,
So as soon as somebody manages to inject a piece of JS code into a page,
XSS 是一个完全不同的安全问题.你需要防止人们注入 JS.
XSS is a completely different security problem. You need to prevent people injecting JS.
相关文章