Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
741 views
in Technique[技术] by (71.8m points)

javascript - What is the concept behind Access-Control-Allow-Origin and CORS?

I don't really get Access-Control-Allow-Origin and CORS.
If I allow request from any domain to my page, does that imply any security issues for my page?

I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:*, everything can be loaded from that server.
So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server belonging to the attacker.

Unitl now I assumed, that I would have to enable cross domain requests to allow code on my page to request data from another domain but it seems to be the other way round; the other domain has to allow my domain to request data. I don't really see the security benefits of this concept.
Could anybody explain the concepts behind this or tell me if I am getting it all wrong?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Given:

  • Alice, a user with a browser
  • Bob, a site owner with a website
  • Mallory, a malicious site owner with a website

Alice has an account on Bob's server. Maybe it is her webmail. Maybe it is her online banking. Maybe it is somewhere she likes to shop.

Alice visits Mallory's website, not knowing that it is evil.

The Same Origin Policy prevents Mallory's website from using JavaScript to tell Alice's browser to make a request to Bob's website and give Alice's personal information (her bank balance for instance) to Mallory's website (and therefore to Mallory).

(Sometimes the request will be blocked because the conditions require a pre-flight request, other times the request will go through but the response will not be provided to Mallory's site. Look up CSRF if you want to defend against attacks where the danger lies in what the server does when it gets the request rather then in information leaking from the response).

CORS allows Bob to say that a resource on his website does not contain any personal information so that it is safe to allow other sites to access it (or that a particular site can be trusted with the personal information).

So as soon as somebody manages to inject a piece of JS code into a page,

XSS is a completely different security problem. You need to prevent people injecting JS.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...