CORS如何真正防范安全问题?
[英]How does CORS actually protect against security issues?
问题描述
After reading a lot of documents from MDN and CodeAcademy I still do not fully understand what the CORS handshake actually protects against. 
在阅读了MDN和CodeAcademy的许多文档之后,我仍然不完全了解CORS握手实际上可以防止的攻击。
I understand that the mechanism shall protect the browser from requesting resources that are located at a different origin without further controls. 我知道该机制可以保护浏览器免于请求位于其他来源的资源,而无需进一步的控制。
Furthermore, as far as I understand the specification, the access control decision is fully evaluated by the server that is target of the CORS request. 此外,据我了解的规范,访问控制决策由作为CORS请求目标的服务器完全评估。 For example, if the server replies with the "Access-Control-Allow-Origin" header set (eg to "*") the browser will be allowed to handle the response. 例如,如果服务器以“ Access-Control-Allow-Origin”标头设置(例如,“ *”)答复,则将允许浏览器处理响应。
Here are two scenarios that raise my questions: 这是两个提出我问题的方案:
- If I was an evil server developer, I would reply with "Access-Control-Allow-Origin" set to * always, which allows the browser to handle the response. 如果我是一个邪恶的服务器开发人员,我将“ Access-Control-Allow-Origin”始终设置为*进行答复,这将允许浏览器处理响应。
- If I was an evil person and wanted to access the resources no matter what, I would use a (custom) web client that does not implement the CORS mechanism. 如果我是一个邪恶的人,无论如何都想访问资源,我将使用一个未实现CORS机制的(自定义)Web客户端。
With this both scenarios mentioned, I wonder what CORS really protect against. 提到这两种情况,我想知道CORS真正能抵御什么。 And I wonder if it would be more safe to reject requests from prohibited origins and send an adequate HTTP status (eg 403 Forbidden) within the response. 而且我想知道,拒绝来自禁止来源的请求并在响应中发送适当的HTTP状态(例如403 Forbidden)是否更安全。
Probably I am missing something but I'd be grateful for any hint in the right direction. 可能我遗漏了一些东西,但我对任何正确方向的提示深表感谢。
1 个解决方案
解决方案1
1 已采纳 2019-09-18 12:05:11
In response to your points: 针对您的观点:
CORS is concerned with preventing cross-origin access.
CORS与防止跨域访问有关。 In this scenario, say you're accessing goodserver.com, they will be serving you the content, and they are therefore the origin in the jargon.在这种情况下,假设您正在访问goodserver.com,它们将为您提供内容,因此它们是行话的起源 。 Presumably then they're not going to serve you anything that talks toevilserver.com.大概然后他们将不会为您提供任何与evilserver.com。 Note that CORS is therefore not trying to prevent cross site scripting - in which an attacker somehow puts code on your origin that does talk toevilserver.com.请注意,因此,CORS并未尝试阻止跨站点脚本编写-攻击者以某种方式将代码放到您的源代码中,该代码确实与evilserver.com进行evilserver.com。CORS is implemented in your browser, so as an evil person, you'd need to write a browser and persuade people to download and run it.
CORS是在您的浏览器中实现的,因此,作为一个邪恶的人,您需要编写一个浏览器并说服人们下载并运行它。 However you're right that if you write a native app, or use HTML forms you'd not benefit from CORS security. 但是,您是对的,如果您编写本机应用程序或使用HTML表单,则不会从CORS安全性中受益。
Your question does highlight though where the CORS system relies on trust and that's worth bearing in mind. 您的问题确实突显了CORS系统在哪里依赖信任,这是值得牢记的。
You might find this helpful, as they walk through the process: 当他们逐步完成该过程时,您可能会发现这很有帮助:
https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/ https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.