什么时候可以安全启用CORS? [英] When is it safe to enable CORS?
问题描述
我正在开发一个JSON / REST网络API,我特别希望第三方网站能够通过AJAX调用我的服务。因此,我的服务是发送着名的CORS头:
访问控制允许原产地:*
这允许第三方网站通过AJAX调用我的服务。
但是,我的网络api的子部分是非公开的,并且需要身份验证(使用OAuth和access_token cookie的很标准的东西)。是否可以在我的网站的这一部分上启用CORS?
一方面,如果第三方网站可以有一个jax客户端与我这部分我的服务。然而,原因是同一起源政策的原因是,这可能是有风险的。您不希望以后访问的任何网站都能访问您的私人内容。
我担心的情况是,用户登录我的网络api,无论是在网站上,还是通过他信任的网站,他忘记注销。这将允许他之后使用现有会话访问他的私人内容的所有其他网站吗?
所以我的问题:
- 是否可以在非公开内容上启用CORS?
- 如果启用CORS的服务器通过Cookie设置session_token,保存在CORS服务器或主网页服务器的域下?
document.cookie 。只有在设置 .withCredentials 属性时,cookie才会发送到服务器,即使这样,只有在服务器设置 Access-控制 - 允许凭证标题。 您的第一个问题有点更开放。这是相当安全的,但有办法规避事情。例如,攻击者可以使用DNS中毒技术使预检请求命中实际服务器,但将实际的CORS请求发送到流氓服务器。以下是有关CORS安全性的更多资源:
最后,您的问题是让您的任何网站访问您的CORS数据。为了防止这种情况,你不应该使用 Access-Control-Allow-Origin:* 头。相反,您应该回显用户的Origin值。例如:
Access-Control-Allow-Origin:http://www.example.com
此标头只允许 http://www.example.com 以访问响应数据。
I am developing a JSON/REST web API, for which I specifically want third party websites to be able to call my service through AJAX. Hence, my service is sending the famous CORS header:
Access-Control-Allow-Origin: *
Which allows third party sites to call my service through AJAX. All fine so far.
However, a subsection of my web api is non-public and requires authentication (pretty standard stuff with OAuth and an access_token cookie). Is it safe to enable CORS on this part of my site as well?
On the one hand, it would be cool if third party websites could have ajax clients that also interact with this part of my service. However, the reason that there is a same origin policy in the first place, is that this might be risky. You don't want any website that you visit afterwards to be able to access your private content.
The scenario that I am afraid of is that a user logs in on my web api, either on the website or through a website that he trusts, and he forgets to logout. Will this allow every other website that he vists afterwards to access his private content using the existing session?
So my questions:
- Is it ever safe to enable CORS on non-public content?
- If a CORS enabled server sets a session_token through a cookie, will this cookie be saved under the domain of the CORS server or main web-page server?
In answer to your second question (If a CORS enabled server sets a session_token through a cookie...?), the cookie is saved under the domain of the CORS server. The main web page's JS code can't access the cookie, even via document.cookie. The cookie is only sent to the server when the .withCredentials property is set, and even then, it is only accepted when the server sets the Access-Control-Allow-Credentials header.
Your first question is a little more open ended. It is fairly secure, but there are ways to circumvent things. For example, an attacker could use a DNS poisoning technique to cause a preflight request to hit the actual server, but send the actual CORS request to the rogue server. Here are some more resources on CORS security:
Lastly, your concern is around giving any website access to your CORS data. In order to protect against this, you should not use the Access-Control-Allow-Origin: * header. Instead, you should echo back the user's Origin value. For example:
Access-Control-Allow-Origin: http://www.example.com
This header will allow only http://www.example.com to access the response data.
这篇关于什么时候可以安全启用CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
