XHR跨域限制的目的是什么？ [英] What is the purpose of the XHR cross domain restrictions?

问题描述

我总是想知道XHR跨域限制的目的是什么。

这似乎是为了防止恶意注入的Javascript发送私人数据到攻击者。但是，通过注入脚本或 img 标签（或任何其他外部资源

解决方案

如果任何任意网站可以对您的网站进行XHR呼叫，则可能发生以下情况：

在另一个浏览器标签中，您会看到一个安全的会话Cookie。

$ b < ，Alice访问Bob的邪恶黑客网站（她认为这只是一个Justin Bieber视频）

Bob的网页向您的安全网站发出XHR。如果没有跨网域政策，浏览器会向您的网站发出请求。包括安全会话Cookie—并检索结果。

因此，即使使用跨网域，这些结果也可能包含Alice登录您的安全网站时可用的任何内容。策略，Bob的邪恶网站实际上可以通过发布表单向您的服务器POST HTTP请求。它将无法查看结果，但如果Bob聪明，他可能已经在您的网站中发现了一个允许来自POST的某些活动的网址，即使它不是来自您的某个网页上的表单。这就是所谓的跨站点请求伪造，这是浏览器不能保护你的东西。

I was always wondering what the purpose of the XHR cross domain restrictions is.

It seems the intention is to prevent maliciously injected Javascript from sending private data to the attacker. However, sending data to any domain is easily possible with an injected script or img tag (or any other external resource for that matter).

解决方案

If any arbitrary website could make an XHR call to your website, then the following could happen:

1. Innocent user Alice logs into your secure website and acquires a secure session cookie.
2. In another browser tab, Alice visits Bob's evil hacker website (which she thinks is just a Justin Bieber video)
3. Bob's page issues an XHR to your secure website. Without the cross-domain policy, the browser would issue the request to your website — including the secure session cookie — and retrieve the results. Those results could include anything available to Alice while she's logged in to your secure site.

As it is, even with the cross-domain policy, Bob's evil website can in fact POST an HTTP request to your server by posting a form. It won't be able to see the results, but if Bob is clever he may have discovered a URL in your site that allows some activity from a POST even if it's not from a form on one of your pages. That's called Cross-Site Request Forgery, and it's something the browser cannot protect you from.

这篇关于XHR跨域限制的目的是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！