CORS预检申请的安全好处是什么? [英] What are the security benefits of CORS preflight requests?
问题描述
我一直在使用一个经典的SPA,其中前端应用程序存在于 app.example.com ,而API存在于 api。 example.com ,因此需要使用CORS请求。有设置服务器返回的CORS头,工作正常。
I've been working on a classic SPA where the front end app lives on app.example.com while the API lives on api.example.com, hence requiring the use of CORS requests. Have setup the server to return the CORS header, works fine.
每当AJAX请求不简单时,浏览器会额外提供 OPTIONS 请求到服务器以确定它是否可以使用有效载荷进行调用。 在MDN上查找简单请求
Whenever an AJAX request is not simple, the browser makes an extra OPTIONS request to the server to determine if it can make the call with the payload. Find Simple Requests on MDN
问题是:执行OPTIONS请求的实际好处是什么,特别是在安全方面?
我的应用程序的一些用户具有显着的地理延迟,并且由于预检超时缓存不会持续很长时间,预检请求导致延迟增加。
Some users of my app have significant geographical latency and since the preflight cache doesn't last long, the preflight requests cause latencies to be multiplied.
我希望让 POST 请求简单,只是嵌入 Content-输入一个潜在的解决方案是通过在URL中使用应用程序/ json 的 text / plain 或编码来破解它。因此,我希望完全理解CORS预检请求对Web安全的作用。感谢。
I'm hoping to make POST requests simple, but just embedding the Content-Type of application/json negates that. One potential solution is to "hack" it by using text/plain or encoding in the url. Hence, I hope to leave with a full understanding of what CORS preflight requests do for web security. Thanks.
推荐答案
正如您链接到的文章所指出的:
As noted on the article you linked to:
这些是相同类型的跨站点请求,Web内容可能已经发出
,并且没有响应数据发布给请求者
,除非服务器发送相应的头。因此,
防止跨站点请求伪造的网站没有什么新的东西,可以通过HTTP
访问控制。
These are the same kinds of cross-site requests that web content can already issue, and no response data is released to the requester unless the server sends an appropriate header. Therefore, sites that prevent cross-site request forgery have nothing new to fear from HTTP access control.
基本上,这样做是为了确保CORS不会为没有CORS的跨域请求引入任何额外的方法。
Basically it was done to make sure CORS does not introduce any extra means for cross-domain requests to be made that would otherwise be blocked without CORS.
例如,没有CORS,以下表单内容类型只能通过实际的< form> 标记而不是AJAX请求跨域完成:
For example, without CORS, the following form content types could only be done cross-domain via an actual <form> tag, and not by an AJAX request:
- 应用程式/ x-www-form-urlencoded
- multipart / form-data
- text / plain
因此,任何接收具有上述内容类型之一的请求的服务器都知道它有可能来来自其他网域,并且知道会采取措施防范各种攻击,例如跨网站请求伪造< a>。其他内容类型,如 application / json 以前只能从同一个域进行,因此不需要额外的保护。
Therefore any server receiving a request with one of the above content-types knows that there is a possibility of it coming from another domain and knows to take measures against attacks such as Cross Site Request Forgery. Other content types such as application/json could previously only be made from the same domain, therefore no extra protection was necessary.
类似地,具有额外标题的请求(例如 X请求 - 使用 )之前已经被类似地保护,因为它们只能来自相同的域(< form> 标签不能添加额外的标题,做跨域POST)。 GET和POST也是唯一的由表单。 HEAD也在这里列出,因为它执行与GET相同,但没有正在检索的消息正文。
Similarly requests with extra headers (e.g. X-Requested-With) would have previously been similarly protected as they could have only come from the same domain (a <form> tag cannot add extra headers, which was the only way previously to do a cross-domain POST). GET and POST are also the only methods supported by a form. HEAD is also listed here as it performs identically to GET, but without the message body being retrieved.
因此,简而言之,它将停止非简单请求首先,没有调用OPTIONS来确保客户端和服务器都在谈论CORS语言。请记住,同源政策只会阻止从不同来源的读取,因此预检机制仍然需要防止写入发生 - 即不安全的方法被执行CSRF场景。
So, in a nutshell it will stop a "non simple" request from being made in the first place, without OPTIONS being invoked to ensure that both client and server are talking the CORS language. Remember that the Same Origin Policy only prevents reads from different origins, so the preflight mechanism is still needed to prevent writes from taking place - i.e. unsafe methods from being executed in a CSRF scenario.
您可以使用 Access-Control-Max-Age 标头来提高效能。 此处的详情。
You might be able to increase performance using the Access-Control-Max-Age header. Details here.
这篇关于CORS预检申请的安全好处是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
