当它是安全的,以使CORS? [英] When is it safe to enable CORS?
问题描述
我开发一个JSON / REST的Web API,为此,我特别希望第三方网站可以通过AJAX调用我的服务。因此,我的服务发送著名的CORS头:
I am developing a JSON/REST web API, for which I specifically want third party websites to be able to call my service through AJAX. Hence, my service is sending the famous CORS header:
Access-Control-Allow-Origin: *
,允许第三方网站通过AJAX调用我的服务。所有罚款为止。
Which allows third party sites to call my service through AJAX. All fine so far.
不过,我的网络API某款为非公并要求身份验证(pretty的标准的东西使用OAuth和access_token饼干)。它是安全的这部分我的网站,以及使CORS?
However, a subsection of my web api is non-public and requires authentication (pretty standard stuff with OAuth and an access_token cookie). Is it safe to enable CORS on this part of my site as well?
在一方面,这将是冷静,如果第三方网站可以有AJAX客户端也与这部分我的服务进行交互。然而,有摆在首位同一来源政策,原因是这可能是危险的。你不希望您访问事后能够访问你的私人内容的网站。
On the one hand, it would be cool if third party websites could have ajax clients that also interact with this part of my service. However, the reason that there is a same origin policy in the first place, is that this might be risky. You don't want any website that you visit afterwards to be able to access your private content.
这恐怕的情景是,用户在我的网页API登录时,无论是在网站上或通过他信任一个网站,他忘了注销。这会不会让他vists之后利用现有的会话访问他的私人内容的每一个其他网站?
The scenario that I am afraid of is that a user logs in on my web api, either on the website or through a website that he trusts, and he forgets to logout. Will this allow every other website that he vists afterwards to access his private content using the existing session?
所以我的问题:
- 是以往任何时候都安全,以便在非公开内容CORS?
- 如果一个启用CORS服务器设置一个session_token通过一个cookie,将这个cookie可以在CORS服务器或主网页服务器的域下保存的?
推荐答案
在回答你的第二个问题(如果启用CORS服务器设置一个session_token通过一个cookie ...?),该cookie保存的视域下CORS服务器。主网页的JS code不能访问饼干,甚至可以通过的document.cookie 。该Cookie只发送到服务器时, .withCredentials 属性设置,即使如此,当服务器设置它只是接受了访问 - 控制 - 允许-证书头。
In answer to your second question (If a CORS enabled server sets a session_token through a cookie...?), the cookie is saved under the domain of the CORS server. The main web page's JS code can't access the cookie, even via document.cookie. The cookie is only sent to the server when the .withCredentials property is set, and even then, it is only accepted when the server sets the Access-Control-Allow-Credentials header.
您的第一个问题是多一点开放的结束。这是相当安全的,但有办法规避的东西。例如,攻击者可以使用DNS技术中毒引起preflight请求打实际的服务器,但发送实际CORS请求到流氓服务器。这里是CORS系统的安全性更多的资源:
Your first question is a little more open ended. It is fairly secure, but there are ways to circumvent things. For example, an attacker could use a DNS poisoning technique to cause a preflight request to hit the actual server, but send the actual CORS request to the rogue server. Here are some more resources on CORS security:
<一个href="http://$c$c.google.com/p/html5security/wiki/CrossOriginRequestSecurity">http://$c$c.google.com/p/html5security/wiki/CrossOriginRequestSecurity https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing
http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing
最后,你关注的是让周围的任意的网站访问您的CORS数据。为了防止这一点,你不应该使用访问控制 - 允许 - 产地:* 头。相反,你应该回显用户的原始值。例如:
Lastly, your concern is around giving any website access to your CORS data. In order to protect against this, you should not use the Access-Control-Allow-Origin: * header. Instead, you should echo back the user's Origin value. For example:
Access-Control-Allow-Origin: http://www.example.com
这头将只允许 http://www.example.com 访问响应数据。
This header will allow only http://www.example.com to access the response data.
这篇关于当它是安全的,以使CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
