Cordova& CORS(iOS) [英] Cordova & CORS (iOS)
问题描述
我最近在一个相对较老的cordova应用程序iOS(iphones),它是建立大约一年前,为了调试它。
应用程序从服务器查询API。此服务器使用Laravel构建,并使用 laravel-cors 。
由于一个特殊的原因,这个应用程序的开发者已设置CORS服务器端接受请求,只有当缺少Origin标头。
我被告知,该应用程序在过去一年的工作很好。
调试时,我注意到当cordova应用程序使用$ .ajax执行请求时,iOS浏览器将headers =>'file://'添加到其头部
现在就针对我的问题
您是否知道新版iOS版本有这样的变化?
我想我不能做任何客户端为了绕过它?
如何安全地添加file://作为接受服务器端?
感谢一吨!
服务器接受null原因的原因不是特殊 - 这就是如何定义CORS工作。它旨在防止基于浏览器的XSS攻击 - 浏览器自动发送 Origin 头,以便服务器可以接受或拒绝请求,基于它们允许哪些域来自的javascript调用。它旨在作为一个安全的基于标准的后继JSONP黑客允许跨源服务器请求,但在一个受控的方式。默认情况下,浏览器只需要并允许同源XHR和其他类似请求(
CORS对于非浏览器客户端未定义,因为非浏览器客户端可以设置 Origin 他们想反正(例如 curl ),所以在这些情况下,放弃 Origin
为了回答你的问题的一部分,添加(非常)是安全的file:// 作为接受的源服务器端。原因是希望绕过CORS保护的攻击者可能欺骗用户将网页下载到其文件系统,然后在浏览器中执行它 - 从而绕过任何预期的 Origin 限制,因为 file:// 在允许的列表中。还可能有其他利用,已知和未知,可以利用服务器接受 file:// origin。
您必须根据自己的项目需求来评估添加此类项目的风险。
I recently got my hands on an relatively old cordova app for iOS (iphones), which was built around one year ago, in order to debug it.
The app queries an API from a server. This server is built using Laravel and makes use of laravel-cors.
For a peculiar reason, the developers of this app have set up CORS server-side to accept requests, only if the Origin header is missing.
I was told that the app was working just fine for the past year. While debugging it, I noticed that the iOS browser adds origin => 'file://' to its headers, when cordova app uses $.ajax for doing requests
And now for my questions
Are you aware of such a change on newer iOS verions? I suppose I can't do anything client-side in order to bypass it?
How safe is to add "file://" as an accepted origin, server-side?
Thanks a ton!
The reason the server accepts null-Origin isn't "peculiar" -- that is how CORS is defined to work. It is intended to protect against browser-based XSS attacks -- browsers send the Origin header automatically so the server can accept or reject the request based on which domain(s) they allow javascript calls from. It is intended as a safe standards-based successor to the JSONP hack to allow cross-origin server requests, but in a controlled way. By default, browsers require and allow only same-origin XHRs and other similar requests (full list).
CORs is undefined for non-browser clients, since non-browser clients can set whatever Origin they want to anyway (e.g. curl), so in those cases it makes sense to just leave off the Origin header completely.
To answer part of your question, it is not (very) safe to add file:// as an accepted origin server-side. The reason is that an attacker wishing to bypass CORS protections could trick a user into downloading a web page to their filesystem and then executing it in their browser -- thus bypassing any intended Origin restrictions since file:// is in the allowed list. There may also be other exploits, known and unknown, that could take advantage of servers that accept a file:// origin.
You'll have to evaluate the risks of adding this based on your own project requirements.
这篇关于Cordova& CORS(iOS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
