正确理解CORS与主机/不同端口&安全 [英] Properly Understanding CORS with Same Host / Different Port & Security

问题描述

我没有做太多的客户端网络编程，所以我试图把握这个概念，如何与我的具体情况相关。

我有一个RESTful WCF服务在50000s的端口上运行。此外，我有一堆用HTML5 / CSS3 / JavaScript编写的Web表单（而不是ASP WebForms），这些表单对这个WCF服务进行AJAX调用。 Web表单托管在同一主机上，但使用端口80.由Web表单进行的AJAX调用都是 GET 只有请求。

此外，我有一个第三方云托管的应用程序在一个完全不同的位置（不同的主机），这也需要调用WCF服务。此通信正在执行 POST s& PUT 到WCF服务。

显然，从第三方托管的云应用程序进行的调用是跨起源。从我的研究，似乎不同的港口实际上是不同的起源。

我知道安全& CORS是不同的概念，但这里是我想要完成的，我需要更好地了解这是如何工作的：

现在我允许所有跨源请求，一切正常，但我想限制它以提高安全性，然后最终设置HTTPS与传输安全与Webforms& WCF服务使用相同的证书。第三方云服务托管应用程序仍然需要能够与WCF服务进行通信，所以我需要允许它进行不同的验证，所以这将是通过传递一个秘钥，因为一切都在服务器端只有。

这个整个沟通的三角形对我来说是模糊的，我希望SO是我正确的地方，我发布这个问题，因为它不是直接

1. 上述WCF-网络表单的情况是否是跨源的？


2. A）如果上述不是跨源的，那么我只需要传递 Access-Control-Allow-Origin：'https：// my-cloud-host 如果是我的理解，只需要回显允许的起源s）。在这种情况下，在IIS中为 Access-Control-Allow-Origin 设置什么？


3. 如果它们托管在不同的端口上，我的想法是否可以使用相同的证书进行相互SSL认证工作？这会阻止云服务与WCF服务通信，还是会有第二个端点允许这样做？


4. 我失去了我的想法？



解决方案



1. 是。在除IE以外的所有主要浏览器中，不同的端口被视为另一个来源。


2. A）是正确的。您只需要允许您的port-80来源发送请求。


3. 我不确定。我倾向于认为SSL是端口感知的，并且您不能在不同端口上使用相同的证书。


4. 您可以阅读这篇精彩文章让您心情安静。






I don't do much client side web programming, so I'm trying to grasp this concept in how it relates to my specific situation.

I have a RESTful WCF service running on a port in the 50000s. Additionally, I have a bunch of web forms (not ASP WebForms) written in HTML5/CSS3/JavaScript that make AJAX calls to this WCF service. The web forms are hosted on the same host, but are using port 80. The AJAX calls made by the web forms are all GET only requests.

Additionally, I have a third-party cloud-hosted application that's in a completely different location (different host), which needs to call the WCF service as well. This communication is performing POSTs & PUTs to the WCF service.

Obviously the calls being made from the third-party hosted cloud application is cross origin. From my research it appears that the different ports are in fact different origins.

I know that security & CORS are different concepts, but here is what I'm trying to accomplish and I need to better understand how all of this works:
Right now I allow all cross-origin requests, and everything is working, but I'd like to limit it down to improve security and then eventually set up HTTPS with transport security with both the webforms & WCF service using the same certificate. The third-party cloud service hosted-app would still need to be able to communicate with the WCF service so I would need to allow it to authenticate differently, so that would be done with a secret-key being passed since everything is server-side only.

This whole communication 'triangle' feels murky to me, and I hope that SO is the right place for me to be posting this question since it isn't directly code related.

1. Is the WCF - web forms situation described above considered cross-origin?
2. A) If the above is not cross-origin, would I then only need to pass the Access-Control-Allow-Origin: 'https://my-cloud-host' in my web.config?
   
   B) If it is I understand that just need to echo back the allowed origins(s) in the header. What do I set (if anything) for Access-Control-Allow-Origin in IIS in this case? What do I echo if it's not allowed, just the original origin?
3. Would my idea to use the same certificate for mutual SSL Authentication work if they are hosted on different ports? Would this prevent the cloud-service from communicating with the WCF service, or would having a second endpoint allow for this?
4. Am I losing my mind? I'm so confused by this whole thing.

解决方案

1. Yes. In all major browsers except for IE, a different port IS considered to be another origin.
2. A) is correct. You need only to allow your port-80 origin to send requests.
3. I'm not sure about that. I tend to beleive that SSL is port-awared, and you can't use the same certificate on different ports.
4. You can read this excellent article to give your mind some rest.

这篇关于正确理解CORS与主机/不同端口&安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！