跨域资源共享(CORS) - 我失去了一些东西呢? [英] Cross-Origin Resource Sharing (CORS) - am I missing something here?
问题描述
我在阅读有关 CORS ,我想实现是既简单又有效的。
不过,除非我失去了一些东西,我觉得有很大一部分从规范缺失。据我了解,这是国外网站的决定,根据请求(任选包括凭证)的来源,是否允许访问其资源。这是好的。
但如果在页面上的恶意code要发布一个用户的敏感信息提供给外国的网站是什么?外国网站显然会验证请求。因此,再次,如果我不是失去了一些东西,CORS其实可以更容易窃取敏感信息。
我认为这会作出更多的意义,如果原来的网站还可以提供服务器的页面被允许访问的不可变列表。
于是展开顺序是:
- 提供一个页面的可接受CORS服务器列表(abc.com,xyz.com等)
- 页想让一个XHR请求abc.com - 浏览器允许这一点,因为它在允许列表和验证正常进行
- 页想让一个XHR请求malicious.com - 请求当地拒绝(由浏览器IE),因为服务器不在列表 。
我知道,恶意code仍可使用JSONP做了肮脏的工作,但我本来以为完全实现CORS的将意味着脚本标签多站点漏洞的结束。
我还检查了官方CORS规范( http://www.w3.org/TR/cors ),但没有找到任何提及这个问题。
但如果在页面上的恶意code要发布一个用户的敏感信息提供给外国网站?什么
怎么样呢?你已经可以做,没有CORS。即使追溯到网景2,你一直能够通过所造成的接口简单,只要简单的GET和POST请求form.submit(),新的图像或设定 window.location的。
如果恶意code能够访问敏感信息,你已经完全失去了。
3)第想让一个XHR请求malicious.com - 要求当地拒绝
为什么一个页面尽量让一个XHR请求到一个网站,它尚未列入白名单?
如果你想防止恶意脚本由于XSS漏洞注入的动作,你正试图修复的症状,而不是原因。
I was reading about CORS and I think the implementation is both simple and effective.
However, unless I'm missing something, I think there's a big part missing from the spec. As I understand, it's the foreign site that decides, based on the origin of the request (and optionally including credentials), whether to allow access to its resources. This is fine.
But what if malicious code on the page wants to POST a user's sensitive information to a foreign site? The foreign site is obviously going to authenticate the request. Hence, again if I'm not missing something, CORS actually makes it easier to steal sensitive information.
I think it would have made much more sense if the original site could also supply an immutable list of servers its page is allowed to access.
So the expanded sequence would be:
- Supply a page with list of acceptable CORS servers (abc.com, xyz.com, etc)
- Page wants to make an XHR request to abc.com - the browser allows this because it's in the allowed list and authentication proceeds as normal
- Page wants to make an XHR request to malicious.com - request rejected locally (ie by the browser) because the server is not in the list.
I know that malicious code could still use JSONP to do its dirty work, but I would have thought that a complete implementation of CORS would imply the closing of the script tag multi-site loophole.
I also checked out the official CORS spec (http://www.w3.org/TR/cors) and could not find any mention of this issue.
But what if malicious code on the page wants to POST a user's sensitive information to a foreign site?
What about it? You can already do that without CORS. Even back as far as Netscape 2, you have always been able to transfer information to any third-party site through simple GET and POST requests caused by interfaces as simple as form.submit(), new Image or setting window.location.
If malicious code has access to sensitive information, you have already totally lost.
3) Page wants to make an XHR request to malicious.com - request rejected locally
Why would a page try to make an XHR request to a site it has not already whitelisted?
If you are trying to protect against the actions of malicious script injected due to XSS vulnerabilities, you are attempting to fix the symptom, not the cause.
这篇关于跨域资源共享(CORS) - 我失去了一些东西呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
