为什么CORS没有禁用凭证? [英] Why is CORS without credentials forbidden?
问题描述
我想了解为什么不允许无凭据的跨网域请求(默认情况下,不设置服务器返回 Access-Control-Allow-Origin 头)。如果请求的凭据的所有是很简单的 - 一个可以完成一些恶意行为代表您在其他网站,例如在Facebook上,如果你已经登录。
例如此请求:
xhr = new XMLHttpRequest ;
xhr.open('GET','http://www.google.com');
xhr.send();
产生错误(我在Chrome的控制台中从此网站执行):
XMLHttpRequest无法加载 http://www.google.com / 。在所请求的
资源上没有
'Access-Control-Allow-Origin'头。原因 http://stackoverflow.com 因此不允许
访问。
因此,服务器必须向此请求发送适当的标头(例如 Access-Control-Allow-Origin:* )。
这只是一个简单的请求,没有发送cookie。这种限制的意义是什么?
如果允许这样的CORS,可能会发生什么安全问题?
无凭据 - 我的意思是不发送cookie。
XMLHTTPRequest的默认设置为withCredentials = false,这意味着请求中不会发送Cookie - link 。
这里的主要关注点是基于网络拓扑的访问控制。假设你在你的家庭网络上运行一个HTTP服务(事实上,你几乎肯定会做,如果你的路由器本身有一个Web接口)。我们将调用此服务 R
,并且连接到您的家庭路由器的唯一机器可以访问该服务。
当您的浏览器访问 evil.example.com
时,该网站为您的浏览器提供一个脚本,告诉它获取 R
并将其发送回 evil.example.com
。这可能是坏的,即使没有凭据,因为这是违反假设,本地网络外的任何人都无法查看本地网络中运行的服务。同源策略阻止这种情况发生。如果同源策略仅在涉及凭证时才起作用,那么它将打开绕过基于拓扑的保护的可能性。
还要考虑一些公共服务允许基于IP地址的访问:
- 牛津英语字典将其在线条目的访问限制为来自订阅大学的IP地址
- 英国将访问BBC内容的权限限制为来自国内的IP地址
这里,浏览器可以用作任何为其提供脚本的站点的不知情的代理。
I'm trying to understand why cross domain requests without credentials is not allowed (by default, without setting up server to return Access-Control-Allow-Origin header). In case of request with credentials all is pretty straightforward - one can fulfill some malicious actions on your behalf on other sites, for example on facebook, if you have logged in on it.
For example this request:
xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.google.com');
xhr.send();
produce an error ( I executed it in Chrome's console from this site ):
XMLHttpRequest cannot load http://www.google.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://stackoverflow.com' is therefore not allowed access.
So, server must send an appropriate header ( e.g Access-Control-Allow-Origin: * ) to this request can works.
This is just a simple request and no cookie are sent. What's the sense of such a restriction? What security issues might take place if such CORS will be allowed?
without credentials - I mean without sending cookie. Default settings for XMLHTTPRequest is withCredentials = false which means that no cookie are sent in request - link.
I'll go ahead and liberally steal from Security.SE's Why is the Access-Control-Allow-Origin header necessary?
The main concern here is access control based on network topology. Suppose you run a HTTP service on your home network (in fact, you almost certainly do, if your router itself has a Web interface). We'll call this service R
, and the only machines connected to your home router can get to the service.
When your browser visits evil.example.com
, that site serves your browser a script, telling it to fetch the contents of R
and send it back to evil.example.com
. This is potentially bad, even without credentials, because it's a violation of the assumption that no one outside your local network can view the services running inside your local network. The same-origin policy stops this from happening. If the same-origin policy only came into play when credentials were involved, it would opens up the possibility of bypassing topology-based protections.
Consider also that some public services allow access based on IP address:
- the Oxford English Dictionary restricts access to its online entries to IP addresses coming from subscribed universities
- the United Kingdom restricts access to BBC content to IP address from within the country
In all of the cases listed here, a browser could be used as an unwitting proxy for any site that serves it a script.
这篇关于为什么CORS没有禁用凭证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!