适当的CORS设置是否阻止XSRF？ [英] Does a proper CORS setup prevent XSRF?

问题描述

解决方案

如果CORS在服务器上正确设置，只允许某些来源访问服务器，这是否足以防止XSRF攻击？ div>

更具体地说，很容易犯错误的是，如果evil.com由于CORS不能向good.com发出请求，那么CSRF就会被阻止。但是，有两个问题被忽略：

1. CORS仅受浏览器的影响。这意味着Google Chrome会遵循CORS，而不是让evil.com向good.com发出请求。但是，假设有人构建了一个原生应用程序或任何具有POST事件到您的网站的形式。 XSRF令牌是防止这种情况的唯一方法。




2. 很容易忽略CORS仅用于JS请求的事实。

因为这些原因，evil.com上的正式表单，CORS不是一个很好的替代XSRF令牌。最好同时使用。

If CORS is properly setup on a server to only allow a certain origins to access the server, is this enough to prevent XSRF attacks?

解决方案

To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:

1. CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.

2. Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.

For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.

这篇关于适当的CORS设置是否阻止XSRF？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！