将所有域添加到 CORS 的安全隐患(访问控制允许来源:*)
据说不是将所有域都添加到 CORS,而应该只添加一组域.然而,添加一组域有时并非易事.例如.如果我想公开一个 API,那么对于每个想要调用该 API 的域,都需要联系我以将该域添加到允许的域列表中.
It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains.
我想在安全隐患和减少工作量之间做出有意识的权衡决定.
I'd like to make a conscious trade off decision between security implications and less work.
我看到的唯一安全问题是 DoS 攻击 和 CSRF 攻击.CSRF 攻击已经可以通过 IMG 元素和 FORM 元素实现.与 CORS 相关的 DoS 攻击可以通过在引用标头上阻止请求来克服.
The only security issues I see are DoS attacks and CSRF attacks. CSRF attacks can already be achieved with IMG elements and FORM elements. DoS attacks related to CORS can be overcome by blocking requests upon the referrer header.
我是否遗漏了安全隐患?
Am I missing security implications?
===编辑===
- 假设
Access-Control-Allow-CredentialsHeader 没有设置 - 我知道如何添加给定的域CORS 访问"列表,因此我只对添加所有域CORS 访问"的安全影响感兴趣
- It is assumed that the
Access-Control-Allow-CredentialsHeader is not set - I know how to add a given list of domains "CORS access" and I'm therefore only interested in the security implications of adding all domains "CORS access"
推荐答案
除了 csauve 的回复之外,其他回复都没有回答我原来的问题.
Except of csauve's one, none of the replies answer my original question.
回答我的问题;看来只要不设置Access-Control-Allow-Credentials就没有安全问题.
To answer my question; It seems that as long as Access-Control-Allow-Credentials is not set then there is no security problem.
(这让我想知道为什么在 Access-Control-Allow-Credentials 未设置时规范需要预检?)
(Which makes me wonder why the spec requires preflight when Access-Control-Allow-Credentials is not set?)
相关文章