使用Apache将CORS列入白名单 [英] Whitelisted CORS using Apache
问题描述
我希望建立自己的网站(Red Hat Linux / Apache 2.2.3),以允许使用Javascript编写的HTML5应用程序进行Ajax调用,这些脚本可能托管在其他地方。
I am looking to set up my (Red Hat Linux/Apache 2.2.3) website to allow Ajax calls from HTML5 apps written in Javascript where these scripts might be hosted elsewhere.
这就是CORS的全部内容。
This is what CORS is all about.
关于如何通过mod_headers启用CORS的描述很多。几乎所有这些对象都将Access-Control-Allow-Origin标头设置为 *,这将使站点向世界敞开。
There are many descriptions of how to enable CORS via mod_headers. Just about all of them set the Access-Control-Allow-Origin header to "*" which opens the site up to the world.
但是同源策略是出于某种原因到位,并且这种访问级别引发了真正的安全性问题。
But the Same-origin policy is in place for a reason and this level of access raises real security questions.
我如何将这些网站列入白名单(可能有数十个网站,但是我有业务的人的网站
How can I whitelist the sites (could be dozens of them, but sites of people I have business relationships with) I want without opening my site to the world?
我见过的唯一讨论此问题的讨论是 http://blog.blakesimpson.co.uk/read/64-apache-configure- cors-headers-forwhitelist-domains ,但是:
The only discussion I've seen that discusses this is http://blog.blakesimpson.co.uk/read/64-apache-configure-cors-headers-for-whitelist-domains but:
- 该页面虽然很有见地,但并不详尽。 >
- 这种方法在允许的原始来源数量众多的情况下似乎无法管理。
- That page, while insightful, was not thorough.
- The approach does not look manageable with a largish number of allowed origins.
什么是安全意识网络管理员在做什么?
What are security-conscious web administrators doing?
推荐答案
Yo您可以将您所有列入白名单的域如下所示,还可以定义通用的正则表达式匹配项,以便更灵活地将其列入白名单域。
You can put your all whitelisted domain as below and also define generic regexp match for more flexibel to whitelist domains.
<IfModule mod_headers.c>
##########################################################################
# 1.) ENABLE CORS PRE-FLIGHT REQUESTS
# e.g. PUT, DELETE, OPTIONS, ...
# we need to set Access-Control-Allow-Headers and
# Access-Control-Allow-Methods for allowed domain(s)
##########################################################################
# first check for pre-flight headers and set as environment variables
# e.g. header method-a is set here
SetEnvIf ^Access-Control-Request-Method$ "method-a" METHOD_A
SetEnvIf ^Access-Control-Request-Headers$ "^Content-Type$" HEADER_A
# set corresponding response pre-flight headers for allowed domain(s)
Header set Access-Control-Request-Methods "method-a" env=METHOD_A
Header set Access-Control-Request-Headers "content-type" env=HEADER_A
# TODO: add allowed additional pre-flight requests here...
#########################################################################
# 2.) ENABLE CORS *SIMPLE REQUESTS* (vs. Pre-Flight Requests from above)
# e.g. GET, POST and HEAD requests
# we need to set Access-Control-Allow-Origin header for allowed domain(s)
# also note that POST requests need to match one of the following
# Content-Type:
# 1) application/x-www-form-urlencoded
# 2) multipart/form-data
# 3) text/plain
#########################################################################
# e.g. origin = https://host-b.local
SetEnvIfNoCase Origin "https://host-b.local" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
# generic regexp match for more flexibel use cases
#SetEnvIfNoCase Origin "((http(s?))?://(www\.)?(host\-a|host\-b)\.local)(:\d+)?$" AccessControlAllowOrigin=$0
#Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
# TODO: add additional whitelisted domain here...
</IfModule>
这篇关于使用Apache将CORS列入白名单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!