相同域请求的Origin和Host标头 [英] Origin and Host headers for same domain requests
问题描述
我们有RESTful JSON端点服务于AJAX请求,希望支持跨源资源共享。我们正在锁定以确保我们不必担心跨站点请求伪造(CSRF)攻击。我们使用的方法的一部分是检查Origin标头的存在,并验证它是否包含在已批准的Origins的白名单中。但是,我们注意到某些浏览器(其中包含Chrome和Safari)包含带有AJAX POST请求的Origin标头,即使源自同一域(因此不是CORS请求)。
由于我们不希望我们的用户必须将提供REST端点的域列入白名单,我们希望自动确定是否给定请求是相同域或交叉源。要做到这一点,现在我们最好的尝试是监视Origin标头的存在,如果存在,则将其与Host标头的值进行比较。我们的逻辑是,如果Origin与Host匹配,则此请求必须是Same Domain,因此我们不需要在白名单中检查Origin。
以下是我们正在考虑使用的服务器端JS代码片段:
if(typeof(headers [] Origin])!==undefined&&
headers [Origin]。replace(new RegExp(^。*?//),)!== headers [主持人]&&
!包含(allowedOrigins,headers.Origin)){
return false;
}其他{
返回true;
}
需要正则表达式比较,因为Origin标头将如下所示:
http:// localhost:8080
主机标头的显示方式如下:
localhost:8080
因此,我使用该正则表达式去除主要的http://。
问题是我们还没有看到使用或讨论这种方法的任何其他实现。这让我们担心,由于某种原因,这可能不是一种合适的方法。所以,问题是 - 比较Host标头和Origin标头是一种安全的方法来确定请求是否来自同一个域?
此外,正在删除领先的协议://来自我所显示的将始终产生与主机相关的正确值?
我建议你检查Ajax标头:
X-Requested-With:XMLHttpRequest
同源Ajax可以添加自定义标头和几乎所有流行的框架(如jQuery)都添加了X-Requested-With:XMLHttpRequest。
但是,对于CORS,自定义标头会引发飞行前的HTTP OPTIONS请求。 / p>
因此,如果您看到X-Requested-With:XMLHttpRequest(或任何其他自定义标头)没有预先飞行,您就会知道它是一个同源Ajax调用。
We have RESTful JSON endpoints serving AJAX requests, with the desire to support Cross Origin Resource Sharing. We are locking things down to ensure that we don't have to worry about Cross Site Request Forgery (CSRF) attacks. Part of the approach we are using is to check for the presence of a Origin header and verify that it is included in a whitelist of approved Origins. However, we have noticed that some browsers (Chrome and Safari among them) include the Origin header with AJAX POST requests, even when originating from the same domain (so not a CORS request).
Since we would prefer to not require our users to have to whitelist the same domain that the REST endpoints are being served from, we would like to determine automatically whether or not a given request is "Same Domain" or "Cross Origin". To do this, right now our best attempt is to watch for the presence of an Origin header, and if it exists, compare it with the value of the Host header. Our logic is that if the Origin matches the Host, then this request must be "Same Domain" and so we do not need to check for the Origin in the whitelist.
Here is a snippet of the server-side JS code we are thinking of using to accomplish this:
if (typeof (headers["Origin"]) !== "undefined" &&
headers["Origin"].replace(new RegExp("^.*?//"), "") !== headers["Host"] &&
!contains(allowedOrigins, headers.Origin) ) {
return false;
} else {
return true;
}
The regexp comparison is needed because Origin header will come in looking like this:
http://localhost:8080
Whereas the Host header will come in looking like this:
localhost:8080
So I use that regexp to strip off the leading http://.
The problem is that we haven't seen any other implementations using or discussing this approach. This concerns us that maybe this isn't an appropriate method, for some reason. So, the question is - is comparing the Host header with the Origin header a safe way to determine if a request originates from the same domain?
Also, is removing the leading protocol:// from the Origin as I've shown going to always yield the proper value in relation to Host?
I would advice you to instead check for the Ajax header: X-Requested-With: XMLHttpRequest
Same-origin Ajax can add custom headers and almost all popular frameworks such as jQuery adds X-Requested-With: XMLHttpRequest.
For CORS however, custom headers provoke a pre-flight HTTP OPTIONS request.
Thus, if you see X-Requested-With: XMLHttpRequest (or any other custom header) without a pre-flight you know it's a same-origin Ajax call.
这篇关于相同域请求的Origin和Host标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
