关于CORS的安全问题
[英]Security concerns about CORS
问题描述
I've just learned about CORS, basically because I didn't need it until now. 
我刚刚了解了CORS,主要是因为我直到现在才需要它。
I've read that CORS enables cross-site origin, by sending HTTP headers with the AJAX call, so the other server can evaluate the request is coming from an approved site. 我已经读过CORS通过发送带有AJAX调用的HTTP头来启用跨站点源,因此其他服务器可以评估请求来自已批准的站点。
Now my main concern is, can't the HTTP headers be spoofed? 现在我主要担心的是,HTTP标头不能被欺骗吗? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does? 例如,攻击者不能将请求卷曲到其他服务器,发送我的CORS请求所做的确切HTTP头吗? In that case, the server will accept the request, and the attacker will retrieve any sensitive data the server will send him. 在这种情况下,服务器将接受请求,攻击者将检索服务器将发送给他的任何敏感数据。
We all know how easy it is to retrieve javascript from a page, so everything I send with CORS can easilly be seen by keen eyes. 我们都知道从页面检索javascript是多么容易,所以我用CORS发送的所有内容都可以通过敏锐的眼光看到。 HTTP headers included. 包含HTTP标头。
So, I guess sensitive information should never be shared within a CORS communication... Or did I get this everything wrong? 因此,我认为敏感信息永远不应该在CORS通信中共享......或者我是否认为这一切都错了? Please shed some light! 请轻松一点! :) Thanks :) 谢谢
1 个解决方案
解决方案1
9 已采纳 2014-01-31 13:00:59
Now my main concern is, can't the HTTP headers be spoofed?
You have two misconceptions here. 你有两个误解。
- CORS headers are sent by the server not the client (although sometimes a client will make a pre-flight OPTIONS request) CORS标头由服务器而不是客户端发送(尽管有时客户端会发出飞行前OPTIONS请求)
- What the Same Origin Policy is defending against 什么是同源政策正在防范
The Same Origin Policy exists to stop Mallory's (evil) website from getting data from Bob's website by asking Alice's browser to request it when Alice visits Mallory's website. 同源政策的存在是为了阻止Mallory(邪恶)网站从Alice的网站获取数据,当Alice访问Mallory的网站时,要求Alice的浏览器请求它。
If that was possible, then Mallory could get any information that was supposed to be a shared secret between Alice and Bob (such as Alice's account balance on Bob's banking website). 如果可能,那么Mallory可以获得任何应该是Alice和Bob之间共享秘密的信息(例如Alice在Bob银行网站上的账户余额)。
can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?
Since Mallory has no way of knowing what security credentials need to be included in the request (because, for instance, they are stored in Alice's cookies for Bob's website): No. 由于Mallory无法知道请求中需要包含哪些安全凭证(例如,因为它们存储在Alice的Cookie的Bob网站中):不。
But CORS doesn't matter here, but the Same Origin Policy isn't implemented by cURL since it isn't a browser running JavaScript supplied by arbitrary websites. 但是CORS在这里并不重要,但是同源策略不是由cURL实现的,因为它不是运行由任意网站提供的JavaScript的浏览器。
I guess sensitive information should never be shared within a CORS communication
It depends on the nature of the information. 这取决于信息的性质。
If Alice and whatever websites you authorise in the CORS headers are allowed to see it, then it is fine to send it (although you should probably use SSL): So long as you have authenticated Alice's identity. 如果Alice 和你在CORS标题中授权的任何网站都被允许看到它,那么发送它就好了(尽管你应该使用SSL):只要你认证了Alice的身份。
If only Alice and you site should see it, then don't put CORS headers on it (and don't provide any other way to bypass the Same Origin Policy, such as JSON-P). 如果只有Alice和你的站点应该看到它,那么不要在其上放置CORS头(并且不提供绕过同源策略的任何其他方式,例如JSON-P)。
If Alice shouldn't see it, then you should never send it to Alice's browser, CORS or no CORS. 如果Alice不应该看到它,那么你永远不应该将它发送到Alice的浏览器,CORS或没有CORS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.