什么是设置访问控制 - 允许 - 原产地的安全隐患？ [英] What are the security risks of setting Access-Control-Allow-Origin?

问题描述

我最近不得不设置访问控制 - 允许 - 原产地到 * ，以便能够使跨子域Ajax调用。
现在，我不禁觉得，我把我的环境安全隐患。
请帮我，如果我做错了。

I recently had to set Access-Control-Allow-Origin to * in order to be able to make cross-subdomain ajax calls.
Now I can't help but feel that I'm putting my environment to security risks.
Please help me if I'm doing it wrong.

推荐答案

通过与响应访问控制 - 允许 - 产地：* 所请求的资源让每起源分享。这基本上意味着，任何网站可以发送XHR请求您的网站和访问该不会是，如果你没有执行这项CORS响应的情况下，服务器的响应。

By responding with Access-Control-Allow-Origin: * the requested resource allows sharing with every origin. This basically means that any site can send a XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.

因此​​，任何网站可以请求您的网站在代表他们的访客，并处理它的响应。如果你有什么样实现是基于一个由浏览器自动提供（饼干，基于cookie的会话等），一些认证或授权方案，由第三方网站引发的请求都将使用他们。

So any site can make a request to your site in behalf of their visitors and process the response of it. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them, too.

这的确会带来安全风险，特别是如果你让资源共享不只是选择的资源，但对每个资源。在这种情况下，你应该看一看的 当它是安全，使CORS？ 的

This indeed poses a security risk, particularly if you allow resource sharing not just for selected resources but for every resource. In this context you should have a look at When is it safe to enable CORS?.

这篇关于什么是设置访问控制 - 允许 - 原产地的安全隐患？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！