问题描述

首先，我假设一个控制输入以防止XSS漏洞的后端。

First of all, I assume a backend that control inputs to prevent XSS vulnerabilities.

在：

原始HTTP头标准被引入作为
的方法来防御CSRF和其他跨域攻击。与
referer不同的是，HTTP请求中会出现源自HTTPS URL的
。

The Origin HTTP Header standard was introduced as a method of defending against CSRF and other Cross-Domain attacks. Unlike the referer, the origin will be present in HTTP request that originates from an HTTPS url.

如果存在origin头，应该检查
一致性。

If the origin header is present, then it should be checked for consistency.

我知道OWASP本身的一般建议是Synchronizer Token Pattern，看不清的漏洞：

I know that the general recommendation from OWASP itself is Synchronizer Token Pattern but I can't see what are the vulnerabilities that remains in:

• TLS + JWT在安全的httpOnly cookie +同源策略+没有XSS漏洞。

UPDATE 1：
同源政策仅适用于，所以一个邪恶的网站可以轻松地做一个表单POST请求，这将打破我的安全。需要显式原始标头检查。方程式为：

UPDATE 1: The same-origin policy only applies to XMLHTTPRequest, so a evil site can make a form POST request easily an this will break my security. An explicit origin header check is needed. The equation would be:

• TLS + JWT在安全的httpOnly Cookie + 原始标头检查 +没有XSS漏洞。

• TLS + JWT in secure httpOnly cookie + Origin Header check + No XSS vulnerabilities.

推荐答案

摘要

有关于同源起源政策和CORS的误解概念，@Bergi，@Neil McGuigan和@SilverlightFox帮助我澄清。

I had a misunderstood concepts about Same-origin policy and CORS that @Bergi, @Neil McGuigan and @SilverlightFox helped me to clarify.

首先，@Bergi说

是一个重要的概念。我认为浏览器不会向SOP限制请求交叉域，但这只适用于Monsur Hossain在精彩教程。

is an important concept. I thought that a browser doesn't make the request to the cross domain accordingly to the SOP restriction but this is only true for what Monsur Hossain calls a "not-so-simple requests" in this excellent tutorial.

• 简单请求


• 不那么简单请求 （我刚刚编辑的字词）

简单请求是符合以下条件的请求：

Simple requests are requests that meet the following criteria:

• HTTP方法匹配（区分大小写）以下之一：
  
  
  
  
  • HEAD
  
  
  • GET
  
  
  • POST
  
  
  
  
  • 接受
  
  
  • 接受语言
  
  
  • 内容语言
  
  
  • Last-Event-ID
  
  
  • Content-Type，但仅当值为以下之一时：
    
    
    
    
    • application / x-www-form-urlencoded
    
    
    • multipart / form-data
    
    
    • text / plain
    
    
    • Accept
    • Accept-Language
    • Content-Language
    • Last-Event-ID
    • Content-Type, but only if the value is one of:
      • application/x-www-form-urlencoded
      • multipart/form-data
      • text/plain

      具有内容类型应用程序/ x-www-form-urlencoded的POST将命中服务器（这意味着CSRF漏洞），但浏览器将无法访问该请求的结果。
      使用Content Type应用程序/ json的POST是一个不那么简单的请求，因此浏览器会像这样进行预付费请求

      So, a POST with Content Type application/x-www-form-urlencoded will hit to the server (this means a CSRF vulnerability) but the browser will not make accessible the results from that request.A POST with Content Type application/json is a "not-so-simple request" so the browser will make a prefligth request like this

      如果服务器响应例如：

      浏览器不会发出请求，因为

      the browser will not make the request at all, because

      所以我认为Neil在谈论这个问题时指出：

      So I think that Neil was talking about this when he pointed out that:

      但是，对于我提议给Bergi的origin头显式控制，我认为对于这个问题已经足够了。

      However, with the origin header explicit control that I proposed to Bergi I think is enough with respect to this issue.

      对于我对Neil的回答，我并不是说这个答案是我所有问题的答案，但它记得我关于SOP的另一个重要问题，它的政策只适用于XMLHTTPRequest的。

      With respect to my answer to Neil I didn't mean that that answer was the one to all my question but it remembered me another important issue about SOP and it was that the policy only applies to XMLHTTPRequest's.

      总之，我认为安全的httpOnly cookie + Origin Header检查中的方程式

      In conclusion, I think that the equation

      
      
      • TLS + JWT +没有XSS漏洞。
      
      

      是一个很好的选择，如果API在另一个领域像SilverlightFox说。如果客户端在同一个域，客户端我会有麻烦的请求，不包括Origin头。再次来自：

      is a good alternative if the API is in another domain like SilverlightFox says. If the client is in the same domain that the client I will have troubles with requests that doesn't include the Origin header. Again from the cors tutorial:

      Silverlight将引导至。

      Silverlight pointed this out to.

      仍然存在的唯一风险是客户端可以欺骗原始头以匹配允许的来源，因此我正在寻找的答案实际上是

      The only risk that remains is that a client can spoof the origin header to match the allowed origin, so the answer i was looking for was actually this

      更新：对于那些观看此信息的人，我对如果使用JWT需要原始标题有。

      UPDATE: for those who watch this post, I have doubts about if the origin header is needed at all using JWT.

      方程式为：

      
      
      • TLS + JWT存储在安全cookie + JWT请求头+没有XSS漏洞。
      
      

      此外，上面的方程有httpOnly cookie，但是如果你得到客户端和服务器在不同的域（如今许多SPA应用程序），因为cookie不会与每个请求一起发送到服务器。因此，您需要访问存储在cookie中的JWT令牌，并将其发送到标头中。

      Also, the previous equation has httpOnly cookie but this won't work if you got the client and the server in different domains (like many SPA application today) because the cookie wouldn't be sent with each request to the server. So you need access the JWT token stored in the cookie and send it in a header.

      这篇关于为什么同源策略不足以防止CSRF攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！