正确的 CORS 设置是否可以防止 CSRF 攻击? [英] Does a proper CORS setup prevent CSRF attack?

问题描述

如果在服务器上正确设置了 CORS，只允许特定来源访问服务器，

If CORS is properly setup on a server to only allow a certain origins to access the server,

这足以防止 CSRF 攻击吗?

Is this enough to prevent CSRF attacks?

推荐答案

更具体地说，很容易误以为如果 evil.com 由于 CORS 无法向 good.com 发出请求，那么 CSRF 就是阻止了.然而，有两个问题被忽略了:

To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:

1. CORS 仅受浏览器支持.这意味着谷歌浏览器将遵守 CORS，并且不会让 evil.com 向 good.com 提出请求.但是，想象一下有人构建了一个原生应用程序或任何具有将内容发布到您的站点的表单.XSRF 令牌是防止这种情况的唯一方法.

1. CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.

是否容易忽略CORS仅针对JS请求的事实.evil.com 上的常规表单回传到 good.com，尽管使用了 CORS.

Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.

由于这些原因，CORS 不是 XSRF 令牌的良好替代品.最好同时使用.

For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.

这篇关于正确的 CORS 设置是否可以防止 CSRF 攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！