了解 AJAX CORS 和安全注意事项 [英] Understanding AJAX CORS and security considerations

问题描述

我试图理解为什么 CORS 以它的工作方式工作.

I am trying to understand why CORS is working in way that it works.

正如我从 这篇文章，当来自www.a.com 的页面向www.b.com 发出AJAX 请求时，它就是www.b.com 决定是否允许请求.

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

但是在这种模型中，客户端究竟保护了什么?例如，如果黑客成功地将 XSS 脚本注入到我的页面，那么它会向他的域发出 AJAX 请求以存储用户数据.所以黑客的域肯定会允许这样的请求.

But what is exactly secured on client in such model? For example, if a hacker succeeds to make an XSS script injection to my page, then it makes an AJAX request to his domain to store user data. So a hacker's domain will allow such a request for sure.

我认为 www.a.com 应该决定允许请求发送到哪些域.因此，理论上在标题 Access-Control-Allow-Origin 中，我想放置允许 AJAX CORS 请求的域的完整列表.

I thought that www.a.com should decide to which domains to allow the request to. So in theory within a header Access-Control-Allow-Origin I would like to put the whole list of the domains that are allowed for AJAX CORS requests.

谁能解释一下当前的 CORS 实现处理哪些安全问题?

Can someone explain what security problems the current CORS implementation handles?

推荐答案

正如我从这篇文章中了解到的，当来自 www.a.com 的页面向 www.b.com 发出 AJAX 请求时，它就是 www.b.com 决定是否允许请求.

As I learned from this post, when page from www.a.com makes AJAX request to www.b.com, then it's the www.b.com that decides if request should be allowed or not.

不完全是.请求没有被阻止(至少，如果它是 simple).

Not quite. The request isn't blocked (at least, if it is simple).

默认情况下，运行在 www.a.com 上的 JavaScript 被禁止访问来自 www.b.com 的响应.

By default the JavaScript running on www.a.com is forbidden access to the response from www.b.com.

CORS 允许 www.b.com 授予 www.a.com 上的 JavaScript 访问响应的权限.

CORS allows www.b.com to give permission to the JavaScript on www.a.com to access the response.

但是在这种模型中，客户端究竟保护了什么?

But what is exactly secured on client in such model?

它阻止 www.a.com 的作者使用访问过这两个站点并已访问过这两个站点的用户的浏览器从 www.b.com 读取数据在 www.b.com 上进行身份验证(因此可以访问非公开数据).

It stops the author of www.a.com from reading data from www.b.com using the browser of a User who has visited both sites and has been authenticated on www.b.com (and thus has access to data that isn't public).

例如，Alice 已登录 Google.Alice 访问 malicious.example，后者使用 XMLHttpRequest 访问来自 gmail.com 的数据.爱丽丝有一个 GMail 帐户，因此回复在她的收件箱中包含最近的电子邮件列表.同源策略可防止 malicious.example 读取它.

For example, Alice is logged into Google. Alice visits malicious.example which uses XMLHttpRequest to access data from gmail.com. Alice has a GMail account so the response has a list of the most recent email in her inbox. The same origin policy prevents malicious.example from reading it.

例如，黑客成功将XSS脚本注入到我的页面，然后向他的域发出AJAX请求以存储用户数据.所以黑客域肯定会允许这样的请求.

For example, hacker success to make XSS script injection to my page, then it makes AJAX request to his domain to store user data. So hackers domain will allow such request for sure.

正确.XSS 是一个不同的安全问题，需要在源头解决(即在 www.a.com 而不是在浏览器中).

Correct. XSS is a different security problem that needs to be addressed at source (i.e. at www.a.com and not in the browser).

这篇关于了解 AJAX CORS 和安全注意事项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！