为公共和只读Web服务启用CORS *是否安全? [英] Is it safe to enable CORS to * for a public and readonly webservice?
问题描述
启用CORS有几个安全问题:
- CSRF
- 受保护数据的暴露
但是公共和只读Web服务是否有启用全局CORS的问题?
But are there any issues for a public and readonly webservice to enable global CORS?
Access-Control-Allow-Origin: *
我的假设:
- CSRF不相关,因为Web服务是只读的。
- 由于Web服务是公共的,所以不涉及窃取受保护的数据。
推荐答案
在这里与Fetch规范相关的某些内容(定义了CORS):
Here’s something relevant from the Fetch spec (which defines CORS):
基本安全的CORS协议设置
用于通过IP身份验证或防火墙保护数据的资源(不幸的是相对仍然很常见),使用CORS协议是不安全的。 (这就是必须发明CORS协议的原因。)
Basic safe CORS protocol setup
For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.)
但是,否则使用以下标头是安全的:
However, otherwise using the following header is safe:
Access-Control-Allow-Origin: *
即使资源基于Cookie公开了其他信息或HTTP身份验证,使用上述标头将不会显示它。它将与 XMLHttpRequest 之类的API共享资源,就像已经与 curl 和 wget 。
Even if a resource exposes additional information based on cookie or HTTP authentication, using the above header will not reveal it. It will share the resource with APIs such as XMLHttpRequest, much like it is already shared with curl and wget.
换句话说,如果无法使用 curl从连接到网络的随机设备访问资源, / code>和 wget 不包括上述标头。但是,如果可以访问它,那就很好了。
Thus in other words, if a resource cannot be accessed from a random device connected to the web using curl and wget the aforementioned header is not to be included. If it can be accessed however, it is perfectly fine to do so.
Fetch / CORS规范的作者更加详细地介绍了< a href = https://annevankesteren.nl/2012/12/cors-101 rel = noreferrer>在相关博客文章中:
And the author of the Fetch/CORS spec goes into a bit more detail in a related blog posting:
使用
Access-Control-Allow-Origin:*来增加任何资源是完全安全的,只要该资源不是Intranet的一部分(位于防火墙之后) )。换句话说,您可以使用wget或curl从Internet上的服务器获取URL。对于您的基本网站,它包含该网站上的所有资源。Access-Control-Allow-Origin标头(属于CORS)告诉浏览器可以共享资源。
It is completely safe to augment any resource with
Access-Control-Allow-Origin: *as long as the resource is not part of an intranet (behind a firewall). In other words, a URL you can fetch from a server on the internet usingwgetorcurl. For your basic web site this encompasses all resources on the site. TheAccess-Control-Allow-Originheader (part of CORS) tells the browser the resource can be shared.
即使资源包含请求中基于cookie或HTTP身份验证数据的机密信息,包括标头和共享资源仍然是安全的,因为浏览器将在没有任何cookie或HTTP身份验证数据的情况下进行请求。而且,如果浏览器确实使用Cookie或HTTP身份验证数据发出请求,它将永远不会共享资源,因为这将需要额外的标头 Access-Control-Allow-Credentials ,
Even if the resource includes confidential information based on cookies or HTTP authentication data in the request, including the header and sharing the resource is still safe, since the browser will make the request without any cookies or HTTP authentication data. And if the browser did make the request with cookies or HTTP authentication data, it would never share the resource because that would require an additional header, Access-Control-Allow-Credentials, and a different value for the aforementioned header.
因此,继续与其他应用程序安全地共享您的公共数据!
So go ahead and safely share your public data with other applications!
这篇关于为公共和只读Web服务启用CORS *是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
