在哪些情况下,可以禁用浏览器的同源策略?
[英]In which scenarios it is acceptable to disable Same Origin Policy of browsers?
问题描述
I want to make a HTTP GET request to a site in a different domain than the client site. 
我想向与客户端站点不同的域中的站点发出HTTP GET请求。 The final objective is to display a dashboard in the client site for the data that in the source site. 最终目标是在客户端站点中显示源站点中的数据的仪表板。 The server of the source site is not configured for CORS and therefore it's not possible to make a simple AJAX call using JavaScript. 源站点的服务器未配置为CORS,因此无法使用JavaScript进行简单的AJAX调用。
So I have two options, either to set up a proxy or disable Same Origin Policy for the browser. 所以我有两个选择,要么设置代理,要么禁用浏览器的同源策略。 This dashboard is to be displayed on a dedicated machine on a common display. 此仪表板将显示在公共显示器上的专用机器上。 Is it okay to disable Same Origin Request restriction for the browser since it's only used for this purpose? 是否可以禁用浏览器的同源请求限制,因为它仅用于此目的? Thanks. 谢谢。
2 个解决方案
解决方案1
1 2016-09-02 12:03:50
You have another option that you didn't mention: get the data from the external site server-side, and pass it to your own dashboard. 您还有另一个未提及的选项:从外部站点服务器端获取数据,并将其传递给您自己的仪表板。 This btw, is the preferred way. 顺便说一下,这是首选的方式。
解决方案2
-1 2016-08-30 05:44:21
You can disable it, but you need to understand the consequences. 您可以禁用它,但您需要了解其后果。 The main goal of the single-origin-policy is to help prevent XSS attacks. 单一来源政策的主要目标是帮助防止XSS攻击。 The SOP protects users from unknowingly having malicious AJAX making requests on their behalf. SOP保护用户不会在不知不觉中让恶意AJAX代表他们发出请求。
With Cross-Origin-Resource-Sharing disabled, if malicious JavaScript is injected into a browser session, say through an ad network, then that JavaScript would be blocked from things like connecting to the user's online banking page. 禁用跨源资源共享后,如果将恶意JavaScript注入浏览器会话(例如通过广告网络),那么该JavaScript将被阻止连接到用户的在线银行页面等内容。
When you indiscriminately bypass the SOP in a browser, then any browsing session can be attacked in this way. 当您在浏览器中不加选择地绕过SOP时,任何浏览会话都可能以这种方式受到攻击。 If you're on a secure network and can guarantee that your site isn't compromised, and the browser won't be used for other purposes, then-and-only-then you are guaranteed to be safe. 如果您使用的是安全的网络并且可以保证您的网站不会受到损害,并且浏览器不会用于其他目的,那么只保证您的安全。
On the other hand, as soon as someone uses that browser to connect to an unknown site, you have opened an attack vector. 另一方面,只要有人使用该浏览器连接到未知站点,您就会打开攻击媒介。 It's probably best not to mess with that setting, but only you can determine what is best for your specific scenario. 最好不要混淆那个设置,但只有你可以确定什么是最适合你的特定场景。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.