问题描述
阅读CORS(跨域资源共享)之后,我不明白它是如何提高安全性。如果正确ORIGIN头中发送跨域Ajax通信是允许的。举个例子,如果我发
After reading about CORS (Cross-Origin Resource Sharing), I don't understand how it improves security. Cross-Domain AJAX communication is allowed if the correct ORIGIN header is sent. As an example, if I send
服务器检查,如果该域名白名单,如果是这样,头:
The server checks if this domain is in the white list and, if it is, header:
访问控制 - 允许 - 产地:[点击这里接收的URL]
Access-Control-Allow-Origin: [received url here]
时,与该响应(这是简单的情况下,也有prefighted请求,但问题是相同的)。
is sent back, together with the response (This is the simple case, there are also prefighted requests, but the question is the same).
¿这是真的安全吗?如果有人想获得信息,伪造原点头看起来像一个非常简单的任务。另外,标准指出,实施策略,在浏览器中,阻断了反应,如果访问控制 - 允许 - 原产地是不正确的。显然,如果有人试图获得这些信息,他不会使用标准的浏览器来阻止它。
¿Is this really secure? If someone wants to receive the information, faking an ORIGIN headers seems like a really trivial task. Also the standard says that the policy is enforced in the browser, blocking the response if Access-Control-Allow-Origin is not correct. Obviously if anyone is trying to get that info, he will not use a standard browser to block it.
推荐答案
它的目的不是要阻止人们获取数据。你不能公开它没有人得到它。
It isn't designed to stop people getting the data. You can't expose it without people getting it.
有被设计成使得给定的:
It is designed so that given:
- 爱丽丝,要通过Ajax访问的人提供设计一个API
- 鲍勃,一个人用网络浏览器
- 查理,第三方运行自己的网站
如果鲍勃·查理访问的网站,然后查理不能发送JS给Bob的浏览器,使其获取数据从Alice的网站,并把它发送给查理。
If Bob visits Charlie's website, then Charlie cannot send JS to Bob's browser so that it fetches data from Alice's website and sends it to Charlie.
如果Bob有允许他做这样的事情发表评论或删除数据Alice的网站上的用户帐户上面的情况就变得更加重要 - 因为没有保护,查理可以告诉Bob的浏览器要做到这一点的背后鲍勃的背部。
The above situation becomes more important if Bob has a user account on Alice's website which allows him to do things like post comments or delete data — since without protection, Charlie could tell Bob's browser to do that behind Bob's back.
如果你想阻止未授权用户查看数据,那么你需要保护与密码,SSL客户端证书或基于身份认证/授权其他一些手段。
If you want to stop unauthorized people from seeing the data, then you need to protect with with passwords, SSL client certs or some other means of identity based authentication/authorization.
这篇关于CORS是一种安全的方式做跨域AJAX请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!