問題描述

我并沒有真正了解 Access-Control-Allow-Origin 和 CORS.
如果我允許來自任何域的請(qǐng)求到我的頁(yè)面，這是否意味著我的頁(yè)面存在任何安全問題?

I don't really get Access-Control-Allow-Origin and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?

我一直認(rèn)為，SOP 確保不能在頁(yè)面上運(yùn)行任何腳本，該腳本從另一臺(tái)服務(wù)器請(qǐng)求數(shù)據(jù)，因?yàn)樵摂?shù)據(jù)可能是惡意的.但是，服務(wù)于惡意數(shù)據(jù)的服務(wù)器可以只回復(fù)包含 Access-Control-Allow-Origin:* 的標(biāo)頭，因此可以從該服務(wù)器加載所有內(nèi)容.
因此，一旦有人設(shè)法將一段 JS 代碼注入頁(yè)面，每個(gè)惡意代碼都可以從屬于攻擊者的服務(wù)器加載.

I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.

Unitl 現(xiàn)在我假設(shè)我必須啟用跨域請(qǐng)求以允許我的頁(yè)面上的代碼從另一個(gè)域請(qǐng)求數(shù)據(jù)，但它似乎是相反的；另一個(gè)域必須允許我的域請(qǐng)求數(shù)據(jù).我并沒有真正看到這個(gè)概念的安全優(yōu)勢(shì).
任何人都可以解釋這背后的概念或告訴我我是否完全錯(cuò)了?

Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data. I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?

推薦答案

鑒于:

• Alice，一個(gè)使用瀏覽器的用戶
• Bob，擁有網(wǎng)站的網(wǎng)站所有者
• Mallory，一個(gè)擁有網(wǎng)站的惡意網(wǎng)站所有者

Alice 在 Bob 的服務(wù)器上有一個(gè)帳戶.也許是她的網(wǎng)絡(luò)郵件.也許是她的網(wǎng)上銀行.也許這是她喜歡購(gòu)物的地方.

Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.

Alice 訪問 Mallory 的網(wǎng)站，卻不知道它是邪惡的.

Alice visits Mallory's website, not knowing that it is evil.

同源政策阻止 Mallory 的網(wǎng)站使用 JavaScript 告訴 Alice 的瀏覽器向 Bob 的網(wǎng)站發(fā)出請(qǐng)求，并將 Alice 的個(gè)人信息(例如她的銀行余額)提供給 Mallory 的網(wǎng)站(因此也提供給 Mallory).

The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).

(有時(shí)請(qǐng)求會(huì)被阻止，因?yàn)闂l件需要飛行前請(qǐng)求，其他時(shí)候請(qǐng)求會(huì)通過，但不會(huì)將響應(yīng)提供給 Mallory 的站點(diǎn).如果您想防御攻擊，請(qǐng)查找 CSRF危險(xiǎn)在于服務(wù)器在收到請(qǐng)求時(shí)所做的事情，而不是響應(yīng)中泄漏的信息).

(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).

CORS 允許 Bob 說他網(wǎng)站上的資源不包含任何個(gè)人信息，因此允許其他網(wǎng)站訪問它是安全的(或者可以信任特定網(wǎng)站的個(gè)人信息).

CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).

所以一旦有人設(shè)法將一段 JS 代碼注入到頁(yè)面中，

So as soon as somebody manages to inject a piece of JS code into a page,

XSS 是一個(gè)完全不同的安全問題.你需要防止人們注入 JS.

XSS is a completely different security problem. You need to prevent people injecting JS.

這篇關(guān)于Access-Control-Allow-Origin 和 CORS 背后的概念是什么?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！