CORS如何保护应用程序? [英] How is CORS protecting the app?
问题描述
我在理解CORS概念时遇到了问题...
I am having problems grasping the CORS concept...
我以相同的原产地政策来保护应用程序,避免对其进行ajax调用,不信任域。因此, mydomain.com 对 somedomain.com 进行ajax调用,资源JSON /脚本将不会被检索。
The way I see it the same-origin-policy protects the app from making an ajax call to "untrusted domain". So, mydomain.com makes an ajax call to somedomain.com and the resource JSON/Script will not be retrieved.
我认为这是为了在发现某个XSS漏洞并且有人使用该标签将代码放入您的页面内容中并且现在可以对其他域进行Ajax调用时保护Web应用程序。 -我对吗?
I thought this is to protect the web app when some XSS vulnerability is discovered and someone puts that code using the tag into your page content and now can make ajax calls to other domains. - Am I right?
如果我对,那么CORS不提供任何保护,因为服务器策略规定如果 mydomain.com 发出请求,进入 somedomain.com 。现在,如果我受到攻击,我将添加脚本,并在服务器中将CORS策略设置为允许这些请求。从我得到的信息来看,CORS可以完全绕过原产地政策
If I am right then CORS offers no protection because it's the server policy saying that if a request from mydomain.com comes to somedomain.com it should be allowed. Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests. From what I get CORS can totally bypass the same-origin-policy
:|
更新:
多读一点,我发现答案表明,CORS不是为了保护 mydomain.com 应用,而是 somedomain.com 。假设somedomain.com是您的银行,提供API进行银行转帐。银行将允许来自加载了应用程序(相同域)的浏览器的API调用。根据他们的CORS政策,他们可以说来自 mydomain.com 的脚本可以调用其API。请注意,客户端的浏览器可以具有银行设置的cookie,它可以通过 mydomain.com
Reading a bit more I found answers that claim that CORS is not to protect the mydomain.com app, but the somedomain.com. Let's say somedomain.com is your bank that offers APIs to make bank transfers. Bank would allow API calls coming from the browser that has their app loaded (the same domain). In their CORS policy they can say that the script coming from mydomain.com can call their API's. Note that client's browser can have the cookies for the bank set nad that opens the bank to the attack by scripts coming from mydomain.com
推荐答案
CORS不能保护应用程序。
CORS does not protect the app.
Same Origin Policy通过阻止其他站点使用登录用户的浏览器来保护应用程序从中读取数据。
The Same Origin Policy protects the app by preventing other sites from using a logged in user's browser to read data from it.
CORS允许服务器授予其他站点读取该数据的权限(用于何时需要共享信息)。即,CORS是您所说的不要在此处应用同一原产地政策。
CORS allows the server to give other sites permission to read that data (for when the information needs to be shared). i.e. CORS is how you say "Do not apply the Same Origin Policy here".
现在,如果我受到攻击,我将添加脚本并在服务器中将CORS策略设置为允许这些请求。
Now, if I am attacking I would add my script and in my server I would set the CORS policy to allow those requests.
否。托管数据的服务器必须设置CORS标头。您不能授予自己的脚本权限来从其他人的站点读取数据。
No. The server hosting the data has to set CORS headers. You can't give your own script permission to read data from someone else's site.
XSS是与安全性无关的类别漏洞。 CORS和同源政策与它们无关。
XSS is an unrelated category of security vulnerabilities. CORS and the Same Origin Policy have nothing to do with them.
这篇关于CORS如何保护应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
