Access-Control-Allow-Origin和CORS背后的概念是什么? [英] What is the concept behind Access-Control-Allow-Origin and CORS?
问题描述
我真的不能得到 Access-Control-Allow-Origin 和CORS。
如果我允许任何网域向我的网页发出请求,这是否意味着我的网页有任何安全问题?
I don't really get Access-Control-Allow-Origin and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?
我总是认为SOP确保在一个页面上不能运行任何脚本,该脚本从另一个服务器请求数据,因为该数据可能是恶意的。但是,由于服务器为恶意数据提供服务,因此可以使用 Access-Control-Allow-Origin:* 的头来进行回复,可以从该服务器加载所有内容。
因此,一旦有人将一段JS代码注入页面,每个恶意代码都可以从属于攻击者的服务器加载。
I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.
Unitl现在我假设,我必须启用跨域请求,允许我的页面上的代码从另一个域请求数据,但它似乎是另一种方式;其他域必须允许我的域请求数据。
我真的看不到这个概念的安全性好处。
任何人都可以解释这背后的概念,或告诉我,如果我的错误?
Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data.
I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?
推荐答案
给定:
- Alice
- Bob,网站拥有者拥有网站
- Mallory是网站拥有者的恶意网站
Alice在Bob的服务器上有一个帐户。也许是她的网络邮件。也许是她的网上银行。也许这是她喜欢购物的地方。
Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.
爱丽丝访问Mallory的网站,不知道这是邪恶的。
Alice visits Mallory's website, not knowing that it is evil.
同源策略防止Mallory的网站使用JavaScript来告知Alice的浏览器向Bob的网站发出请求,并将Alice的个人信息(例如她的银行余额)发送到Mallory的网站(因此发送到Mallory)。
The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).
(有时请求将被阻止,因为条件需要预先请求,其他时间请求将通过,但不会提供给Mallory的网站。以防御攻击,其中危险在于当服务器获取请求时,而不是在从响应中泄漏的信息中时,服务器所做的)。
(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).
CORS允许Bob说他的网站上的资源不包含任何个人信息,因此可以安全地允许其他网站访问它(或特定网站可以信任的个人信息)。
CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).
一旦有人将一段JS代码插入页面,
So as soon as somebody manages to inject a piece of JS code into a page,
XSS是一个完全不同的安全问题。你需要防止人们注入JS。
XSS is a completely different security problem. You need to prevent people injecting JS.
这篇关于Access-Control-Allow-Origin和CORS背后的概念是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
