問題描述
據說不是將所有域都添加到 CORS,而應該只添加一組域.然而,添加一組域有時并非易事.例如.如果我想公開一個 API,那么對于每個想要調用該 API 的域,都需要聯系我以將該域添加到允許的域列表中.
It is said that instead of adding all domains to CORS, one should only add a set of domains. Yet it is sometimes not trivial to add a set of domains. E.g. if I want to publicly expose an API then for every domain that wants to make a call to that API I would need to be contacted to add that domain to the list of allowed domains.
我想在安全隱患和減少工作量之間做出有意識的權衡決定.
I'd like to make a conscious trade off decision between security implications and less work.
我看到的唯一安全問題是 DoS 攻擊 和 CSRF 攻擊.CSRF 攻擊已經可以通過 IMG 元素和 FORM 元素實現.與 CORS 相關的 DoS 攻擊可以通過在引用標頭上阻止請求來克服.
The only security issues I see are DoS attacks and CSRF attacks. CSRF attacks can already be achieved with IMG elements and FORM elements. DoS attacks related to CORS can be overcome by blocking requests upon the referrer header.
我是否遺漏了安全隱患?
Am I missing security implications?
===編輯===
- 假設
Access-Control-Allow-CredentialsHeader 沒有設置 - 我知道如何添加給定的域CORS 訪問"列表,因此我只對添加所有域CORS 訪問"的安全影響感興趣
- It is assumed that the
Access-Control-Allow-CredentialsHeader is not set - I know how to add a given list of domains "CORS access" and I'm therefore only interested in the security implications of adding all domains "CORS access"
推薦答案
除了 csauve 的回復之外,其他回復都沒有回答我原來的問題.
Except of csauve's one, none of the replies answer my original question.
回答我的問題;看來只要不設置Access-Control-Allow-Credentials就沒有安全問題.
To answer my question; It seems that as long as Access-Control-Allow-Credentials is not set then there is no security problem.
(這讓我想知道為什么在 Access-Control-Allow-Credentials 未設置時規范需要預檢?)
(Which makes me wonder why the spec requires preflight when Access-Control-Allow-Credentials is not set?)
這篇關于將所有域添加到 CORS 的安全隱患(訪問控制允許來源:*)的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!