CORS和XSS有什么联系吗? [英] Does CORS and XSS have any connection?
问题描述
跨网站指令码(XSS)在 CORS 的维基百科页面中提及。但我不明白他们是如何相关的。
XSS在关于JSONP的维基百科文章中提及,而不是CORS。 p>
在JSONP中,您引用包含您要在页面中包含客户端的数据的页面,如下所示:
< script src =https://example.com/jsonp.aspx?callback=foo>< / script>
然后你的页面上有一个JavaScript函数 foo 将被外部网站(在这种情况下 example.com )调用,以传递客户端需要的数据。
但是,如果 example.com 遭到破坏,并且您信任 example.com 作为脚本的源,攻击者可以带你的网站和拥有客户端代码。例如,他们可以将访问者重定向到自己的网站,发送自己的访问者的Cookie或注入Javascript键记录,而不是调用您的 foo 函数。
对于CORS,如果 example.com 设置正确的标头,允许您的网站对其进行AJAX调用并检索数据,您应该将数据视为未使用的输入,而不是HTML,您的网站不太可能被不必要地损害。它取决于数据是什么 - 如果它实际上是预格式化的HTML,你输出它,然后一个受损的外部网站仍然可以通过XSS影响你的 - 然而,这是绝对的JSONP。
另一点是,如果您的网站上有任何XSS错误,它会使任何CORS限制不相关。攻击网站将能够使用XSS vuln在DOM级别绕过同源策略,而不是通过 XHR 。如果他们需要一些信息,只能通过AJAX请求从你的来源检索,他们将简单地使用XSS攻击注入所需的脚本,并将其发送回自己的域。
Cross-site scripting (XSS) is mentioned in the Wikipedia page for CORS. But I don't see how they are related. What's the connection between CORS and XSS?
XSS is mentioned on the Wikipedia article in relation to JSONP, not CORS.
In JSONP you reference a page containing data you want to include client side in your page like so:
<script src="https://example.com/jsonp.aspx?callback=foo"></script>
You then have a JavaScript function on your page called foo that will be called by the external site (example.com in this case) to pass the data through that your client-side requires.
However, if example.com gets compromised and as you are trusting example.com as a source of scripts an attacker can take your site with it and own the client side code. For example, they could be redirecting visitors to their own site, sending themselves your visitors' cookies or injecting Javascript keyloggers instead of calling your foo function.
With CORS though, if example.com sets the correct headers to allow your site to make AJAX calls to it and retreive the data, then as you should be treating the data as untrused input rather than HTML, it is less likely that your site is neccessarily compromised. It does depend on what the data is - if it is in fact preformatted HTML and you are outputting it as is then then a compromised external site could still affect yours via XSS - however, this is definitely the case with JSONP.
Another point is that if there are any XSS bugs on your site, it would make any CORS restrictions irrelevant. The attacking website would be able to use the XSS vuln to "bypass" the Same Origin Policy at DOM level rather than via XHR. If they needed some information that can only be retrieved from your origin by an AJAX request, they would simply use the XSS attack to inject the script required to do this and send it back to their own domain.
这篇关于CORS和XSS有什么联系吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
