为什么CORS没有禁用凭证? [英] Why is CORS without credentials forbidden?
问题描述
我想了解为什么不允许无凭据的跨网域请求(默认情况下,不设置服务器返回 Access-Control-Allow-Origin 头)。如果请求的凭据的所有是很简单的 - 一个可以完成一些恶意行为代表您在其他网站,例如在Facebook上,如果你已经登录。
例如此请求:
xhr = new XMLHttpRequest ;
xhr.open('GET','http://www.google.com');
xhr.send();
产生错误(我在Chrome的控制台中从此网站执行):
XMLHttpRequest无法加载 http://www.google.com / 。在所请求的
资源上没有
'Access-Control-Allow-Origin'头。原因 http://stackoverflow.com 因此不允许
访问。
因此,服务器必须向此请求发送适当的标头(例如 Access-Control-Allow-Origin:* )。
这只是一个简单的请求,没有发送cookie。这种限制的意义是什么?
如果允许这样的CORS,可能会发生什么安全问题?
无凭据 - 我的意思是不发送cookie。
XMLHTTPRequest的默认设置为withCredentials = false,这意味着请求中不会发送Cookie - link 。
这里的主要关注点是基于网络拓扑的访问控制。假设你在你的家庭网络上运行一个HTTP服务(事实上,你几乎肯定会做,如果你的路由器本身有一个Web接口)。我们将调用此服务 R ,并且连接到您的家庭路由器的唯一机器可以访问该服务。
当您的浏览器访问 evil.example.com 时,该网站为您的浏览器提供一个脚本,告诉它获取 R 并将其发送回 evil.example.com 。这可能是坏的,即使没有凭据,因为这是违反假设,本地网络外的任何人都无法查看本地网络中运行的服务。同源策略阻止这种情况发生。如果同源策略仅在涉及凭证时才起作用,那么它将打开绕过基于拓扑的保护的可能性。
还要考虑一些公共服务允许基于IP地址的访问:
- 牛津英语字典将其在线条目的访问限制为来自订阅大学的IP地址
- 英国将访问BBC内容的权限限制为来自国内的IP地址
这里,浏览器可以用作任何为其提供脚本的站点的不知情的代理。
I'm trying to understand why cross domain requests without credentials is not allowed (by default, without setting up server to return Access-Control-Allow-Origin header). In case of request with credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on facebook, if you have logged in on it.
For example this request:
xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.google.com');
xhr.send();
produce an error ( I executed it in Chrome's console from this site ):
XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.
So, server must send an appropriate header ( e.g Access-Control-Allow-Origin: * ) to this request can works.
This is just a simple request and no cookie are sent. What's the sense of such a restriction? What security issues might take place if such CORS will be allowed?
without credentials - I mean without sending cookie. Default settings for XMLHTTPRequest is withCredentials = false which means that no cookie are sent in request - link.
I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?
The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R, and the only machines connected to your home router can get to the service.
When your browser visits evil.example.com, that site serves your browser a script, telling it to fetch the contents of R and send it back to evil.example.com. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.
Consider also that some public services allow access based on IP address:
- the Oxford English Dictionary restricts access to its online entries to IP addresses coming from subscribed universities
- the United Kingdom restricts access to BBC content to IP address from within the country
In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.
这篇关于为什么CORS没有禁用凭证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
