跨源资源共享的安全性 [英] Security for cross-origin resource sharing

问题描述

我有2个ruby on rails应用程式，位于2个不同的网域（例如 www.exampleA.com 和 www.exampleB.com 。我要在两个应用程序之间共享资源，并使用CORS：

I have 2 ruby on rails app sitting on 2 different domains (say www.exampleA.com and www.exampleB.com. I want to share resources between the 2 apps and I'm using CORS:

exampleA.com 发送http POST请求到 exampleB.com 。

在 exampleB.com 我正在检查 request.env ['HTTP_ORIGIN'] 以确保请求来自 exampleA.com 。我通过设置响应头来允许http post请求。

At exampleB.com I'm checking request.env['HTTP_ORIGIN'] to make sure that the request comes from exampleA.com. If true I respond by setting the response headers to allow the http post request.

我的问题是我可以使用 request.env ['HTTP_ORIGIN'] 作为唯一的检查来验证请求者的身份？

My question is can I use request.env['HTTP_ORIGIN'] as the only check to verify the identity of requester?

有人可能从 www.exampleC .com 来伪造他们的HTTP_ORIGIN看起来像 www.exampleA.com 并发布恶意数据？如果是，那么验证请求者身份的最佳方法是什么？

Is it possible for someone from www.exampleC.com to fake their HTTP_ORIGIN to look like www.exampleA.com and post malicious data? If so what's the best way to verify requester identity?

推荐答案

是以下几种页面作者无法为XHR请求设置的标头字段。因此，您可以安全地信任XHR请求的 Origin 信息。

Origin is one of several header fields that cannot be set for a XHR request by page authors. So you’re safe to trust the Origin information of XHR requests.

但是攻击者仍然可能发送具有恶意数据直接。因此，您仍需要验证传入的请求。

But it is still possible for an attacker to send forged requests with malicious data directly. So you’re still required to validate incoming requests.

这篇关于跨源资源共享的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！