为什么CSRF令牌应该放在meta标签和cookie中? [英] Why CSRF token should be in meta tag and in cookie?
问题描述
使用< meta> 之类的将CSRF令牌名称和值放在< head> 标签内的需要是什么:
What's the need of to put CSRF token name and value inside <head> tag using <meta> like:
例如:
<meta content="authenticity_token" name="csrf-param" />
<meta content="4sWPhTlJAmt1IcyNq1FCyivsAVhHqjiDCKRXOgOQock=" name="csrf-token" />
我已经阅读了将CSRF值保留在cookie中的概念,但没有找到为什么要保留在< head> 标记内的概念.
I've read about concept to keep CSRF value in cookie but does not find about why to keep inside <head> tag.
推荐答案
到防止CSRF a>您需要一个与恶意站点无法发送的请求一起提交的值.身份验证cookie是不合适的,因为如果攻击者可以使浏览器将请求发送到受害站点,则cookie会自动提交.
To prevent CSRF you need a value that is submitted with the request that cannot be sent by a malicious site. Authentication cookies are not suitable because if an attacker can make the browser send a request to the victim site, the cookies will automatically be submitted.
例如,通过使用www.evil.com上包含的JavaScript提交表单来攻击www.example.com上的用户会话:
For example, by submitting a form via JavaScript contained on www.evil.com to attack the user's session on www.example.com:
<form method="post" action="https://www.example.com/executeAction">
<input type="hidden" name="action" value="deleteAllUsers">
</form>
<script>document.forms[0].submit()</script>
OWASP 建议的解决方案
在页面内存储反CRSF令牌,以防止其他网站作为随机令牌提交表单由于相同来源政策阻止www.evil.com上的JavaScript读取,因此www.evil.com无法读取用户会话中的www.example.com的页面内容.
Storing an anti CRSF token within the page is the OWASP recommended solution for preventing another website from submitting the form, as the random token in the user's session cannot be read by www.evil.com due to the Same Origin Policy preventing JavaScript on www.evil.com reading the page content of www.example.com.
这些令牌可以存储在页面内的任何位置.最常见的是,它会在隐藏的表单字段中,但也可以存储在 HTML 5数据属性.似乎使用meta标签只是将其存储的另一种方式,JavaScript可以将其包含在页面进行的任何形式的提交中.
These tokens can be stored anywhere within the page. Most commonly it will be within hidden form fields, but they could also be stored within HTML 5 data- attributes. It seems like using meta tags is simply another way it can be stored where the JavaScript can include it in any form submissions the page makes.
这篇关于为什么CSRF令牌应该放在meta标签和cookie中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
