如何阻止恶意代码欺骗“Origin"?标头利用CORS?

What#39;s to stop malicious code from spoofing the quot;Originquot; header to exploit CORS?(如何阻止恶意代码欺骗“Origin?标头利用CORS?)
本文介绍了如何阻止恶意代码欺骗“Origin"?标头利用CORS?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

按照我的理解,如果在 foo.com 的页面上运行的客户端脚本想要从 bar.com 请求数据,则在请求中它必须指定标头 Origin: http://foo.com,并且 bar 必须以 Access-Control-Allow-Origin: http://foo.com 响应.

The way I understand it, if a client-side script running on a page from foo.com wants to request data from bar.com, in the request it must specify the header Origin: http://foo.com, and bar must respond with Access-Control-Allow-Origin: http://foo.com.

有什么方法可以阻止来自站点 roh.com 的恶意代码简单地欺骗标头 Origin: http://foo.com 来请求来自 bar 的页面?

What is there to stop malicious code from the site roh.com from simply spoofing the header Origin: http://foo.com to request pages from bar?

推荐答案

浏览器可以控制设置 Origin 标头,用户无法覆盖此值.因此,您不会看到浏览器欺骗的 Origin 标头.恶意用户可以制作手动设置 Origin 标头的 curl 请求,但此请求可能来自浏览器外部,并且可能没有特定于浏览器的信息(例如 cookie).

Browsers are in control of setting the Origin header, and users can't override this value. So you won't see the Origin header spoofed from a browser. A malicious user could craft a curl request that manually sets the Origin header, but this request would come from outside a browser, and may not have browser-specific info (such as cookies).

请记住:CORS 不是安全性.不要依赖 CORS 来保护您的网站.如果您提供受保护的数据,请使用 cookie 或 OAuth 令牌或 Origin 标头以外的其他内容来保护该数据.CORS 中的 Access-Control-Allow-Origin 标头仅指示应允许哪些来源发出跨域请求.不要再依赖它了.

Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin header to secure that data. The Access-Control-Allow-Origin header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.

这篇关于如何阻止恶意代码欺骗“Origin"?标头利用CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

相关文档推荐

SCRIPT5: Access is denied in IE9 on xmlhttprequest(SCRIPT5:在 IE9 中对 xmlhttprequest 的访问被拒绝)
XMLHttpRequest module not defined/found(XMLHttpRequest 模块未定义/未找到)
Show a progress bar for downloading files using XHR2/AJAX(显示使用 XHR2/AJAX 下载文件的进度条)
How can I open a JSON file in JavaScript without jQuery?(如何在没有 jQuery 的情况下在 JavaScript 中打开 JSON 文件?)
How do I get the HTTP status code with jQuery?(如何使用 jQuery 获取 HTTP 状态码?)
quot;Origin null is not allowed by Access-Control-Allow-Originquot; in Chrome. Why?(“Access-Control-Allow-Origin 不允许 Origin null在铬.为什么?)