WebSocket 和 Origin 标头字段 [英] WebSocket and the Origin header field
问题描述
以下引用自 RFC6455 - WebSocket 协议.
The following is quoted from RFC6455 - WebSocket protocol.
不打算处理来自任何网页的输入的服务器,但仅对于某些站点应该验证 |Origin|领域是一个起源他们期待.如果服务器无法接受所指示的来源,然后它应该用回复来响应 WebSocket 握手包含 HTTP 403 禁止状态代码.
Servers that are not intended to process input from any web page but only for certain sites SHOULD verify the |Origin| field is an origin they expect. If the origin indicated is unacceptable to the server, then it SHOULD respond to the WebSocket handshake with a reply containing HTTP 403 Forbidden status code.
|起源|标头字段保护免受攻击情况,当不受信任方通常是 JavaScript 应用程序的作者在受信任客户端的上下文中执行.客户端本身可以联系服务器,并且通过|Origin|的机制header 字段,决定是否扩展那些通信JavaScript 应用程序的权限. 目的不是阻止非浏览器建立连接,而是确保受潜在恶意 JavaScript 控制的受信任浏览器不能伪造 WebSocket 握手.
The |Origin| header field protects from the attack cases when the untrusted party is typically the author of a JavaScript application that is executing in the context of the trusted client. The client itself can contact the server and, via the mechanism of the |Origin| header field, determine whether to extend those communication privileges to the JavaScript application. The intent is not to prevent non-browsers from establishing connections but rather to ensure that trusted browsers under the control of potentially malicious JavaScript cannot fake a WebSocket handshake.
我只是不确定第二段是什么意思,尤其是斜体部分.有人可以解释一下吗?或者举个例子.
I just cannot be sure about what the 2nd paragraph means, especially the italic part. Could anyone explain it a bit? Or maybe an example.
目前我的理解是这样的:
My understanding so far is like this:
如果服务器可以确定请求确实来自 Web 页面,则 ORIGIN 标头可用于防止来自不受欢迎的 Web 页面的访问.
If server CAN be sure that requests DO come from Web pages, the ORIGIN header can be used to prevent access from un-welcomed Web pages.
如果服务器无法确定请求来自 Web 页面,则 ORIGIN 标头只是建议性的.
If server CANNOT be sure that requests come from Web pages, the ORIGIN header is merely advisory.
推荐答案
你的理解似乎是正确的,但是..
Your understanding seem to be correct, but..
我会改写它 - 您可以确定,javascript 客户端将发送正确的原始标头.你不知道其他客户端会发送什么(以及值是否正确).
I would rephrase it - you can be sure, that javascript client will send proper origin header. You don't know what will be sent by other clients (and whether the value is correct or not).
这应该会阻止其他页面连接到您的"Web 套接字端点(这很重要,想象一下在 jsfiddle 或一些经常访问的页面上的某处注入了 javascript),但是如果您需要确保没有其他客户端将能够连接到它,您需要引入一些其他安全措施.
This should prevent other pages to connect to "your" web socket endpoints (which is a big deal, imagine injected javascript somewhere on jsfiddle or some frequently visited page), but if you need to make sure that no other client will be able to connect to it, you'll need to introduce some other security measures.
我相信这只是为了防止基于浏览器的数据窃取"或DDoSing",仅此而已;你仍然可以通过使用其他客户端来做到这一点.
I believe this is meant only as prevention of browser based "data stealing" or "DDoSing", nothing else; you can still do that by using some other client.
这篇关于WebSocket 和 Origin 标头字段的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
