简体繁体 English

跨源资源共享（CORS） - 我在这里遗漏了什么？

[英]Cross-Origin Resource Sharing (CORS) - am I missing something here?

原文 2010-03-28 13:29:02 8 6 javascript/ ajax/ xss/ xmlhttprequest/ cors

I was reading about CORS and I think the implementation is both simple and effective. 我正在阅读有关CORS的内容，我认为实施既简单又有效。

However, unless I'm missing something, I think there's a big part missing from the spec. 但是，除非我遗漏了什么，否则我认为该规范中缺少一大部分内容。 As I understand, it's the foreign site that decides, based on the origin of the request (and optionally including credentials), whether to allow access to its resources. 据我了解，根据请求的来源（以及可选地包括凭证）决定是否允许访问其资源的外国站点。 This is fine. 这可以。

But what if malicious code on the page wants to POST a user's sensitive information to a foreign site? 但是，如果页面上的恶意代码想要将用户的敏感信息发布到外部站点，该怎么办？ The foreign site is obviously going to authenticate the request. 外国站点显然将验证请求。 Hence, again if I'm not missing something, CORS actually makes it easier to steal sensitive information. 因此，如果我没有遗漏某些东西，CORS实际上会更容易窃取敏感信息。

I think it would have made much more sense if the original site could also supply an immutable list of servers its page is allowed to access. 我认为如果原始网站还可以提供其页面允许访问的不可变服务器列表，那将更有意义。

So the expanded sequence would be: 所以扩展的序列将是：

Supply a page with list of acceptable CORS servers (abc.com, xyz.com, etc) 提供包含可接受的CORS服务器列表的页面（abc.com，xyz.com等）
Page wants to make an XHR request to abc.com - the browser allows this because it's in the allowed list and authentication proceeds as normal 页面想要向abc.com发出XHR请求 - 浏览器允许这样做，因为它在允许列表中并且身份验证正常进行
Page wants to make an XHR request to malicious.com - request rejected locally (ie by the browser) because the server is not in the list. Page想要向malicious.com发出XHR请求 - 请求在本地（即浏览器）拒绝，因为服务器不在列表中。

I know that malicious code could still use JSONP to do its dirty work, but I would have thought that a complete implementation of CORS would imply the closing of the script tag multi-site loophole. 我知道恶意代码仍然可以使用JSONP来完成其脏工作，但我认为CORS的完整实现意味着关闭脚本标记多站点漏洞。

I also checked out the official CORS spec ( http://www.w3.org/TR/cors ) and could not find any mention of this issue. 我还检查了官方的CORS规范（ http://www.w3.org/TR/cors ），但没有找到任何关于这个问题的提及。

6 个解决方案

But what if malicious code on the page wants to POST a user's sensitive information to a foreign site? 但是，如果页面上的恶意代码想要将用户的敏感信息发布到外部站点，该怎么办？

What about it? 怎么样？ You can already do that without CORS. 你可以在没有CORS的情况下做到这一点。 Even back as far as Netscape 2, you have always been able to transfer information to any third-party site through simple GET and POST requests caused by interfaces as simple as form.submit() , new Image or setting window.location . 即使回到Netscape 2，您也始终能够通过简单的GET和POST请求将信息传输到任何第三方站点，这些请求由接口引起，如form.submit() ， new Image或设置window.location 。

If malicious code has access to sensitive information, you have already totally lost. 如果恶意代码可以访问敏感信息，那么您已经完全丢失了。

3) Page wants to make an XHR request to malicious.com - request rejected locally 3）Page想要向malicious.com发出XHR请求 - 请求在本地拒绝

Why would a page try to make an XHR request to a site it has not already whitelisted? 为什么页面会尝试向尚未列入白名单的网站发出XHR请求？

If you are trying to protect against the actions of malicious script injected due to XSS vulnerabilities, you are attempting to fix the symptom, not the cause. 如果您正在尝试防止因XSS漏洞而注入的恶意脚本的操作，那么您正在尝试修复症状，而不是原因。

Your worries are completely valid. 您的担忧完全有效。

However, more worrisome is the fact that there doesn't need to be any malicious code present for this to be taken advantage of. 然而，更令人担忧的是，不需要存在任何恶意代码来利用它。 There are a number of DOM-based cross-site scripting vulnerabilities that allow attackers to take advantage of the issue you described and insert malicious JavaScript into vulnerable webpages. 有许多基于DOM的跨站点脚本漏洞，允许攻击者利用您描述的问题并将恶意JavaScript插入到易受攻击的网页中。 The issue is more than just where data can be sent, but where data can be received from. 问题不仅仅是数据可以发送的地方，而是可以从中接收数据的地方。

I talk about this in more detail here: 我在这里更详细地讨论这个问题：

It seems to me that CORS is purely expanding what is possible, and trying to do it securely. 在我看来，CORS纯粹在扩展可能的东西，并试图安全地进行。 I think this is clearly a conservative move. 我认为这显然是一种保守的举动。 Making a stricter cross domain policy on other tags (script/image) while being more secure, would break a lot of existing code, and make it much more difficult to adopt the new technology. 在更安全的情况下对其他标签（脚本/图像）制定更严格的跨域策略会破坏大量现有代码，并使采用新技术变得更加困难。 Hopefully, something will be done to close that security hole, but I think they need to make sure its an easy transition first. 希望有一些事情可以解决这个安全漏洞，但我认为他们需要先确保一个简单的过渡。

I also checked out the official CORS spec and could not find any mention of this issue. 我还检查了官方的CORS规范，但没有找到任何关于这个问题的提及。

Right. 对。 The CORS specification is solving a completely different problem. CORS规范正在解决一个完全不同的问题。 You're mistaken that it makes the problem worse - it makes the problem neither better nor worse, because once a malicious script is running on your page it can already send the data anywhere. 你错了，它会让问题变得更糟 - 它使问题既不好也不坏，因为一旦恶意脚本在你的页面上运行，它就已经可以在任何地方发送数据了。

The good news, though, is that there is a widely-implemented specification that addresses this problem: the Content-Security-Policy . 好消息，不过，是有一个广泛实施的规范，解决了这个问题：内容安全-政策。 It allows you to instruct the browser to place limits on what your page can do. 它允许您指示浏览器限制页面的功能。

For example, you can tell the browser not to execute any inline scripts, which will immediately defeat many XSS attacks. 例如，您可以告诉浏览器不要执行任何内联脚本，这将立即击败许多XSS攻击。 Or—as you've requested here—you can explicitly tell the browser which domains the page is allowed to contact. 或者 - 正如您在此处所要求的那样 - 您可以明确告诉浏览器允许页面与哪些域联系。

The problem isn't that a site can access another sites resources that it already had access to. 问题不在于网站可以访问已有权访问的其他网站资源。 The problem is one of domain -- If I'm using a browser at my company, and an ajax script maliciously decides to try out 10.0.0.1 (potentially my gateway), it may have access simply because the request is now coming from my computer (perhaps 10.0.0.2). 问题是域之一 - 如果我在我的公司使用浏览器，并且ajax脚本恶意地决定尝试10.0.0.1（可能是我的网关），它可能只是因为请求现在来自我的访问电脑（也许是10.0.0.2）。

So the solution -- CORS. 所以解决方案 - CORS。 I'm not saying its the best, but is solves this issue. 我不是说它是最好的，但是解决了这个问题。

1) If the gateway can't return back the 'bobthehacker.com' accepted origin header, the request is rejected by the browser . 1）如果网关无法返回'bobthehacker.com'接受的原始标题， 则浏览器拒绝该请求。 This handles old or unprepared servers. 这可以处理旧的或未准备好的服务器。

2) If the gateway only allows items from the myinternaldomain.com domain, it will reject an ORIGIN of 'bobthehacker.com'. 2）如果网关仅允许来自myinternaldomain.com域的项目，它将拒绝'bobthehacker.com'的ORIGIN。 In the SIMPLE CORS case, it will actually still return the results. 在SIMPLE CORS的情况下，它实际上仍会返回结果。 By default; 默认情况下; you can configure the server to not even do that. 您可以将服务器配置为甚至不这样做。 Then the results are discarded without being loaded by the browser . 然后在不被浏览器加载的情况下丢弃结果。

3) Finally, even if it would accept certain domains, you have some control over the headers that are accepted and rejected to make the request from those sites conform to a certain shape. 3）最后，即使它接受某些域，您也可以控制接受和拒绝的头，以使来自这些站点的请求符合某种形状。

Note -- the ORIGIN and OPTIONS headers are controlled by the requester -- obviously someone creating their own HTTP request can put whatever they want in there. 注意 - ORIGIN和OPTIONS标头由请求者控制 - 显然，创建自己的HTTP请求的人可以在其中放置他们想要的任何内容。 However a modern CORS compliant browser WONT do that. 然而，现代的CORS兼容浏览器WONT可以做到这一点。 It is the Browser that controls the interaction. 浏览器控制着交互。 The browser is preventing bobthehacker.com from accessing the gateway. 浏览器阻止bobthehacker.com访问网关。 That is the part you are missing. 那是你缺少的部分。

I share David's concerns. 我分享大卫的担忧。 Security must be built layer by layer and a white list served by the origin server seems to be a good approach. 必须逐层构建安全性，并且源服务器提供的白名单似乎是一种好方法。

Plus, this white list can be used to close existing loopholes (forms, script tag, etc...), it's safe to assume that a server serving the white list is designed to avoid back compatibility issues. 此外，此白名单可用于关闭现有漏洞（表单，脚本标记等），可以安全地假设服务白名单的服务器旨在避免后向兼容性问题。