关于CORS的安全问题 [英] Security concerns about CORS
问题描述
我刚刚了解了CORS,主要是因为我直到现在才需要它。
I've just learned about CORS, basically because I didn't need it until now.
我读过CORS支持跨站点来源,通过AJAX调用发送HTTP标头,以便其他服务器可以评估请求来自批准的站点。
I've read that CORS enables cross-site origin, by sending HTTP headers with the AJAX call, so the other server can evaluate the request is coming from an approved site.
现在我的主要关注点是,不能是HTTP头被欺骗?例如,攻击者不能将请求卷曲到其他服务器,发送我的CORS请求所做的确切HTTP头吗?
在这种情况下,服务器将接受请求,攻击者将检索服务器将发送给他的任何敏感数据。
Now my main concern is, can't the HTTP headers be spoofed? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does? In that case, the server will accept the request, and the attacker will retrieve any sensitive data the server will send him.
我们都知道它有多容易是从页面检索javascript,所以我用CORS发送的所有内容都可以通过敏锐的眼睛看到。包括HTTP标头。
We all know how easy it is to retrieve javascript from a page, so everything I send with CORS can easilly be seen by keen eyes. HTTP headers included.
所以,我猜敏感信息永远不应该在CORS通信中共享...
或者我得到这一切都错了吗?
请轻松一点! :)
谢谢
So, I guess sensitive information should never be shared within a CORS communication... Or did I get this everything wrong? Please shed some light! :) Thanks
推荐答案
现在我主要担心的是,不能是HTTP标题是欺骗?例如,攻击者不能将请求卷曲到其他服务器,发送我的CORS请求所做的确切HTTP头吗?
Now my main concern is, can't the HTTP headers be spoofed? For example, can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?
这里有两个误解。
- CORS标头由服务器发送而不是客户端(尽管有时客户端会发出飞行前OPTIONS请求)
- 同源策略正在保护什么反对
- CORS headers are sent by the server not the client (although sometimes a client will make a pre-flight OPTIONS request)
- What the Same Origin Policy is defending against
同一起源政策的存在是为了阻止Mallory(邪恶)网站通过要求Alice的浏览器在请求时提供来自Bob网站的数据Alice访问了Mallory的网站。
The Same Origin Policy exists to stop Mallory's (evil) website from getting data from Bob's website by asking Alice's browser to request it when Alice visits Mallory's website.
如果可能,那么Mallory可以获得任何应该是Alice和Bob之间共享秘密的信息(例如Alice的账户余额) Bob的银行网站。)
If that was possible, then Mallory could get any information that was supposed to be a shared secret between Alice and Bob (such as Alice's account balance on Bob's banking website).
攻击者不能将请求卷曲到其他服务器,发送我的CORS请求确实的HTTP头?
can't an attacker curl a request to the other server, sending the exact HTTP headers that my CORS request does?
由于Mallory无法知道请求中需要包含哪些安全凭证(因为,例如,它们存储在爱丽丝为Bob的网站提供的cookie):否。
Since Mallory has no way of knowing what security credentials need to be included in the request (because, for instance, they are stored in Alice's cookies for Bob's website): No.
但是CORS在这里并不重要,但是cURL没有实现同源策略,因为它不是浏览器运行由任意网站提供的JavaScript。
But CORS doesn't matter here, but the Same Origin Policy isn't implemented by cURL since it isn't a browser running JavaScript supplied by arbitrary websites.
我想敏感信息永远不应该在CORS通信中共享
I guess sensitive information should never be shared within a CORS communication
这取决于信息的性质。
如果Alice 以及您在其中授权的任何网站允许CORS标题查看它,然后发送它就好了(尽管你应该使用SSL):只要你认证了Alice的身份。
If Alice and whatever websites you authorise in the CORS headers are allowed to see it, then it is fine to send it (although you should probably use SSL): So long as you have authenticated Alice's identity.
如果只有Alice和您的网站应该看到它,那么不要在其上放置CORS标头(并且不提供任何其他方式绕过同源策略,例如JSON-P)。
If only Alice and you site should see it, then don't put CORS headers on it (and don't provide any other way to bypass the Same Origin Policy, such as JSON-P).
如果Alice不应该看到它,那么你永远不应该将它发送到Alice的浏览器,CORS或没有CORS。
If Alice shouldn't see it, then you should never send it to Alice's browser, CORS or no CORS.
这篇关于关于CORS的安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
