HTTP 访问控制 (CORS) 能否阻止其他域运行我的脚本?
[英]Can HTTP Access Control (CORS) prevent other domains from running my scripts?
问题描述
I know by default the HTML page on other domains can't access my images, videos.
我知道默认情况下其他域上的 HTML 页面无法访问我的图像、视频。 They can only show them.他们只能展示他们。 But sadly, they can still run my scripts.但遗憾的是,他们仍然可以运行我的脚本。 If my script exposes some variables to the global scope, then the internal logic may be known by others.如果我的脚本向全局范围公开了一些变量,那么内部逻辑可能被其他人知道。
I have a private website that others can't visit.我有一个别人无法访问的私人网站。 Only I can visit it by sending a token in the Cookie to the server.只有我可以通过向服务器发送 Cookie 中的令牌来访问它。 If the token isn't included in the Cookie, every request will cause a 500 server error response.如果 Cookie 中未包含令牌,则每个请求都会导致 500 服务器错误响应。 This is secure because everything is on HTTPS.这是安全的,因为一切都在 HTTPS 上。
But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:但不幸的是,我发现这在我自己的机器上不是很安全,因为在我访问我的站点然后访问恶意站点后,该恶意站点可以使用以下方法运行我的脚本:
<script src="https://my-website.com/main.js"></script>
That's because the Cookies of my website on my machine will be sent to my server as 3rd-party Cookies.那是因为我机器上网站的 Cookie 将作为 3rd-party Cookie 发送到我的服务器。
How to prevent that?如何防止? Can access-control-allow-origin do so? access-control-allow-origin可以这样做吗?
PS I don't want to disable all 3rd-party cookies in browser settings. PS 我不想在浏览器设置中禁用所有 3rd-party cookie。 Cookie's SameSite also doesn't make sense because only Chrome support it now. Cookie 的SameSite也没有意义,因为现在只有 Chrome 支持它。
1 个解决方案
解决方案1
2 已采纳 2017-02-15 22:50:23
There are a number of imaginable ways to prevent other sites from using the script element to run copies of scripts from your site in their sites, but CORS isn't one of them.有许多可以想象的方法来阻止其他站点使用script元素在他们的站点中运行来自您站点的脚本副本,但 CORS 不是其中之一。
Browsers are where the same-origin policy (SOP) is enforced and browsers are what block JavaScript running in Web apps from being able to use responses from cross-origin requests.浏览器是执行同源策略 (SOP) 的地方,浏览器是阻止 Web 应用程序中运行的 JavaScript 使用来自跨源请求的响应的地方。
But browsers don't use SOP/CORS when a Web app uses the script element to embed some JavaScript.但是当 Web 应用程序使用script元素嵌入一些 JavaScript 时,浏览器不使用 SOP/CORS。 Specifically, browsers don't check that the script is served from the other site with an Access-Control-Allow-Origin header, which is the foundation of the whole CORS protocol.具体来说,浏览器不会使用Access-Control-Allow-Origin标头检查其他站点是否提供脚本,这是整个 CORS 协议的基础。
So CORS is definitely not a solution to the problem you seem to want to solve.所以CORS绝对不是你想要解决的问题的解决方案。
But unfortunately, I find this isn't very safe on my own machine, because after I visit my site and then visit a malicious site, this malicious site can use the following method to run my script:
<script src="https://my-website.com/main.js"></script>
But if that site embeds your script in theirs that way, it runs within their origin, not yours.但是,如果该站点以这种方式将您的脚本嵌入到他们的脚本中,则它会在其源中运行,而不是在您的源中运行。 It runs there as a trusted script with all the same privileges of any script they've written themselves.它作为受信任的脚本在那里运行,与他们自己编写的任何脚本具有相同的权限。
In that scenario, the other site is the one taking a security risk—because you can at any time change your https://my-website.com/main.js script to do anything you want at their site.在这种情况下,另一个站点会承担安全风险——因为您可以随时更改https://my-website.com/main.js脚本以在其站点上执行任何您想做的事情。
That is, by embedding your script that way, the other site gives your script programmatic fully-trusted access to do anything it wants at their entire origin—gifting you an XSS opportunity.也就是说,通过以这种方式嵌入您的脚本,另一个站点为您的脚本提供了完全可信的编程访问权限,可以在其整个源头执行任何它想做的事情——给您一个 XSS 机会。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.