了解AJAX CORS和安全注意事项 [英] Understanding AJAX CORS and security considerations
问题描述
我想了解为什么CORS的工作方式,它的工作原理。
I am trying to understand why CORS is working in way that it works.
我从 www.a.com 的网页向AJAX请求 www.b.com 发送广告时,系统会显示跨源资源共享/ =nofollow / strong>,那么 www.b.com 会决定是否允许请求。
As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.
但是,在这样的模型中,客户端上什么是安全的?
例如,如果黑客成功地将XSS脚本注入到我的页面,那么它向他的域发出一个AJAX请求来存储用户数据。所以黑客的域名将允许这样的请求肯定。
But what is exactly secured on client in such model? For example, if a hacker succeeds to make an XSS script injection to my page, then it makes an AJAX request to his domain to store user data. So a hacker's domain will allow such a request for sure.
我认为 www.a.com 应决定允许请求的域。因此,理论上,在 Access-Control-Allow-Origin 标题下,我想要提供允许用于AJAX CORS请求的域的完整列表。
I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.
有人可以解释当前CORS实现处理什么安全问题吗?
Can someone explain what security problems the current CORS implementation handles?
推荐答案
从这篇文章中,当
www.a.com的页面向www.b.com发出AJAX请求时,
As I learned from this post, when page from
www.a.commakes AJAX request towww.b.com, then it's thewww.b.comthat decides if request should be allowed or not.
不完全。
默认情况下,在 www.a.com 上运行的JavaScript禁止访问来自 www.b.com 的回复。
By default the JavaScript running on www.a.com is forbidden access to the response from www.b.com.
CORS允许 www.b.com 授予 www的JavaScript权限。
CORS allows www.b.com to give permission to the JavaScript from www.a.com to access the response.
但是,在这种模式下,客户端上安全的是什么?
But what is exactly secured on client in such model?
阻止 www.a.com 的作者从 www.b.com 使用访问过这两个网站并已在 www.b.com上验证的A用户的浏览器(因此可以访问不公开的数据)。
It stops the author of www.a.com from reading data from www.b.com using the browser of A User who has visited both sites and has been authenticated on www.b.com (and thus has access to data that isn't public).
例如,Alice已登录到Google。 Alice访问了 malicious.example ,它使用XMLHttpRequest从 gmail.com 访问数据。 Alice有一个GMail帐户,因此回复中包含她收件箱中最近一封电子邮件的列表。同一来源策略阻止 malicious.example 读取它。
For example, Alice is logged into Google. Alice visits malicious.example which uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example from reading it.
黑客成功使XSS脚本注入我的页面,然后它使AJAX请求到他的域来存储用户数据。因此,黑客域名将允许这样的请求。
For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.
正确。 XSS是一个不同的安全问题,需要在源(即 www.a.com 而不是在浏览器中)处理。
Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com and not in the browser).
这篇关于了解AJAX CORS和安全注意事项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
