CORS 的概念以及我应该强制执行 Origin 标头吗? [英] The concept of CORS and should I enforce an Origin header?

问题描述

据我所知，CORS 无法以您真正确定来电者是谁的方式完全保护您.因为调用者可以发送他想要的任何 ORIGIN 标头.实际上，我在某处读到您无法通过 javascript 设置原始标头，因为它是受限制的标头 - 但我不太确定.无论如何..如果您要实现自己的 HttpClient，您可以轻松伪造您的原始标头，从而使用您不应该使用的服务.

As far as I understand CORS cannot exactly protect you in the way that you can really be sure who the caller is. Because the caller can send any ORIGIN header he wants. Actually I read somewhere you cannot set the origin header via javascript as it is a restricted header - but I'm not quite sure of that. Anyway.. if you were to implement your own HttpClient you could easily forge your origin header and therefore consume services which you are not supposed to consume.

其次如果未指定 Origin 标头，则请求也能正常工作.例如，我使用 Google Chrome 的 Postman Extension，它不发送任何原始标头.事实上，如果您尝试手动添加一个，它不会通过网络发送.

Secondly if no Origin header is specified the request works as well. For example I use Google Chrome's Postman Extension and it doesn't send any origin headers. In fact if you try to add one manually it doesn't send it over the wire.

因此...

...问题 1 是:我的应用程序是否应该拒绝没有任何 Origin 标头的请求?和...

...问题 2:究竟如何使我的 REST 服务的 CORS 更安全?

Therefore...

...question 1 is: Should my application deny requests without any Origin header? And...

...question 2: How exactly does make CORS my REST service more secure?

推荐答案

有支持 CORS 和不支持 CORS 的浏览器.(我们处于 CORS 的早期阶段，跨浏览器的 CORS 规范的实现并不一致).

There are browsers supporting CORS and not supporting CORS. (We are at the early stage of CORS, the implementations of the CORS specification across browsers are not consistent).

• 不支持 CORS 意味着当浏览器检测到跨域请求时，该请求将被阻止并且不会发送到服务器.
• 支持 CORS 意味着浏览器应用 CORS 策略:在向服务器发送请求之前附加 Origin 标头，浏览器在收到响应后检查 Access-Control-Allow-Origin 并决定是否丢弃响应.
立>

同源策略是为了降低XSS攻击的风险，这种攻击多发生在浏览器上，不太可能发生在HttpClient上.CORS 政策是为了放宽同源政策，这样如果您是两个网站的所有者，您就可以利用此政策来允许您的两个网站之间进行通信.

The same-origin policy is intended to reduce the risks of XSS attacks, this attack mostly happens on browsers, not likely to happen in HttpClient. The CORS policy is for relaxing the same-origin policy so that if you are the owner of both sites, you can leverage this policy to allow communications between your 2 sites.

 提示 支持 CORS 意味着浏览器必须应用与服务器联系后的跨域安全策略获得响应头，这意味着即使发出请求响应被丢弃，因为缺少所需的标头或指定了不同的域.这是一种非常不同的方法没有实现 CORS 并且只是阻止请求的浏览器，从不联系服务器.

 Tip Supporting CORS means that the browser has to apply the cross-origin security policy after it has contacted the server and has obtained the response header, meaning that the request is made even if the response is discarded because the required header is missing or specified a different domain. This is a very different approach from browsers that don’t implement CORS and that simply block the request, never contacting the server.

摘自 书籍

这篇关于CORS 的概念以及我应该强制执行 Origin 标头吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！