将 Access-Control-Allow-Origin 设置为接受所有域时存在哪些安全风险? [英] What security risks exist when setting Access-Control-Allow-Origin to accept all domains?

问题描述

我最近不得不将 Access-Control-Allow-Origin 设置为 * 以便能够进行跨子域 AJAX 调用.我觉得这可能是一个安全问题.如果我保留该设置，我会面临哪些风险?

I recently had to set Access-Control-Allow-Origin to * in order to be able to make cross-subdomain AJAX calls. I feel like this might be a security problem. What risks am I exposing myself to if I keep the setting?

推荐答案

Access-Control-Allow-Origin: * 添加到任何资源是完全安全的，除非该资源包含受标准凭据以外的其他内容保护的私有数据.标准凭据是 cookie、HTTP 基本身份验证和 TLS 客户端证书.

Access-Control-Allow-Origin: * is totally safe to add to any resource, unless that resource contains private data protected by something other than standard credentials. Standard credentials are cookies, HTTP basic auth, and TLS client certificates.

想象一下 https://example.com/users-private-data，它可能会根据用户的登录状态公开私人数据.此状态使用会话 cookie.将 Access-Control-Allow-Origin: * 添加到此资源是安全，因为此标头仅允许在没有 cookie 和 cookie 的情况下发出请求时访问响应需要获取私有数据.结果，没有泄露任何私人数据.

Imagine https://example.com/users-private-data, which may expose private data depending on the user's logged in state. This state uses a session cookie. It's safe to add Access-Control-Allow-Origin: * to this resource, as this header only allows access to the response if the request is made without cookies, and cookies are required to get the private data. As a result, no private data is leaked.

想象一下 https://intranet.example.com/company-private-data，它公开了私人公司数据，但只有在您使用公司的 wifi 网络时才能访问这些数据.将 Access-Control-Allow-Origin: * 添加到此资源是不安全的，因为它使用标准凭据以外的其他内容进行保护.否则，糟糕的脚本可能会将您用作通往 Intranet 的隧道.

Imagine https://intranet.example.com/company-private-data, which exposes private company data, but this can only be accessed if you're on the company's wifi network. It's not safe to add Access-Control-Allow-Origin: * to this resource, as it's protected using something other than standard credentials. Otherwise, a bad script could use you as a tunnel to the intranet.

想象一下，如果用户在隐身窗口中访问资源，他们会看到什么.如果您对看到此内容的每个人(包括浏览器收到的源代码)感到满意，则添加 Access-Control-Allow-Origin: * 是安全的.

Imagine what a user would see if they accessed the resource in an incognito window. If you're happy with everyone seeing this content (including the source code the browser received), it's safe to add Access-Control-Allow-Origin: *.

这篇关于将 Access-Control-Allow-Origin 设置为接受所有域时存在哪些安全风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！