将所有域添加到CORS的安全影响（访问控制允许原产地：*） [英] Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)

问题描述

据说，不应将所有网域添加到 CORS ，只应添加一组网域。
然而，添加一组域有时并不重要。例如。如果我想公开展示一个API，那么对于想要调用该API的每个域，我需要联系，以将该域添加到允许的域列表中。

我看到的唯一安全问题是攻击和 CSRF 攻击。
CSRF攻击已经可以用IMG元素和FORM元素实现。
与CORS相关的DoS攻击可以通过阻止对引用头部的请求来克服。

我缺少安全隐患？

===编辑===

• 假设 Access-Control-Allow-


• 我知道如何添加给定的域列表CORS访问，因此我只对添加的安全隐患感兴趣所有域CORS访问

解决方案

跨站点请求伪造攻击远远主要关注的是Access-Control-Allow-Origin地址。

Ryan在内容检索方面肯定是正确的。然而，关于提出请求的主题有更多的说在这里。许多网站现在提供RESTful Web服务，暴露各种各样的功能，可能涉及在后端进行重大更改。通常，这些RESTful服务旨在通过XHR（例如AJAX）请求调用（可能带有单页应用程序 / a>作为前端）。如果用户在访问恶意第三方网站时拥有访问这些服务的活动会话，那么该网站可能会尝试在幕后调用这些REST端点，传递可能会危及用户或网站的值。根据REST服务的定义方式，有各种方法可以防止此情况。

在单页应用程序的REST Web服务的特定情况下，所有对后端REST端点的请求都使用XHR进行，并拒绝任何非XHR请求。你可以通过检查自定义请求头的存在来决定这一点（类似于jQuery的X-Requested-With）。只有XHR类型的请求可以设置这些头;来自表单和嵌入式资源的简单GET和POST请求不能。最后，我们想要指定XHR请求的原因，让我们回到原来的问题 - XHR请求受CORS规则的约束。

如果您允许Access-Control-Allow-Origin：*，则任何网站都可以代表用户向您的REST端点发出任何AJAX请求。如果您的REST端点涉及任何类型的敏感数据或允许数据持久性，则这是不可接受的安全漏洞。

值得指出的是，如果您的REST端点没有公开任何敏感信息，或者如果它们不允许用户进行任何持久性数据更改，则Access-Control-Allow-Origin：*可能是适当的决定。例如，谷歌地图提供只读视图到公共地图数据;没有理由限制可能希望调用这些服务的第三方网站。

It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains.

I'd like to make a conscious trade off decision between security implications and less work.

The only security issues I see are DoS attacks and CSRF attacks. CSRF attacks can already be achieved with IMG elements and FORM elements. DoS attacks related to CORS can be overcome by blocking requests upon the referrer header.

Am I missing security implications?

===Edit===

• It is assumed that the Access-Control-Allow-Credentials Header is not set
• I know how to add a given list of domains "CORS access" and I'm therefore only interested in the security implications of adding all domains "CORS access"

解决方案

Cross-Site Request Forgery attacks are far and away the primary concern that Access-Control-Allow-Origin addresses.

Ryan is certainly correct regarding content retrieval. However, on the subject of making the request there is more to say here. Many web sites now provide RESTful web services that expose a wide range of features that may involve making significant changes in the backend. Very often, these RESTful services are intended to be invoked with an XHR (e.g. AJAX) request (probably with a "Single Page Application" as the front-end). If a user has an active session granting access to these services when they visit a malicious third-party site, that site may try to invoke those REST endpoints behind the scenes, passing in values that could compromise the user or the site. Depending on how the REST services are defined, there are various ways to protect against this.

In the specific case of REST web services for a Single Page App, you can dictate that all requests to the backend REST endpoints are made with XHR and refuse any non-XHR request. You can dictate this by checking for the presence of a custom request header (something like jQuery's X-Requested-With). Only XHR-type requests can set these headers; simple GET and POST requests from forms and embedded resources cannot. Finally, the reason that we want to dictate XHR requests gets us back to the original question - XHR requests are subject to CORS rules.

If you allowed Access-Control-Allow-Origin: *, then any site could make any AJAX request on the user's behalf to your REST endpoints. If your REST endpoints involve any kind of sensitive data or allow for data persistence, then this is an unacceptable security vulnerability. Instead, enforce XHR-only requests like I described and define a whitelist of origins allowed to make those requests.

It's worth pointing out that if your REST endpoints do not expose any sensitive information, or if they don't allow the user to make any persistent data changes, then Access-Control-Allow-Origin:* may be the appropriate decision. Google Maps for instance provides read-only views into public map data; there is no reason to restrict the third party sites that may wish to invoke those services.

这篇关于将所有域添加到CORS的安全影响（访问控制允许原产地：*）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！