CORS-本地主机作为生产允许的来源
问题说明
有时,在对生产中的错误进行故障排除时,能够从我的本地开发环境中访问我们的生产REST服务器会很方便.但是我担心将本地主机添加到允许的来源会带来安全风险.搜索产生了冲突的信息.我的担忧有效吗?为什么或为什么不呢?
Occasionally when troubleshooting bugs in production, it would be convenient to be able to hit our production REST server from my local dev environment. But i'm concerned that adding localhost to allowed origins would be a security risk. Searches have yielded conflicting information. Are my concerns valid? Why or why not?
正确答案
我假设您有
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost
风险在于,用户计算机上运行的任何服务都可能有效地绕过同一来源政策用于您的网站.
The risk is that any services running on a user's machine could effectively bypass the Same Origin Policy for your site.
因此,如果您有REST URL,例如
So if you have a REST URL such as
https://example.com/User/GetUserDetails
在用户计算机上运行的恶意或受到攻击的服务可能会通过用户的浏览器发出该请求,然后获取有关该用户的详细信息,因为他们的身份验证cookie将随请求一起传递.
A malicious or compromised service running on the user's computer could make that request via the user's browser and then grab details about the user, because their authentication cookie will be passed with the request.
现在,您可能会争辩说,在用户计算机上运行的恶意服务可能只是直接从其浏览器中获取身份验证cookie,然后自行发出请求.但是,如果该服务有其自身的缺陷(例如XSS),则可能使另一个站点通过您的REST服务(evil.example.org --XSS-> localhost -CORS-> example.com/User/GetUserDetails)危害用户.
Now, you could argue that a malicious service running on the user's computer could just grab the authentication cookie from their browser directly and then make the request itself. However, if the service has some flaws of its own (say XSS), this could allow another site to compromise the user via your REST service (evil.example.org --XSS-> localhost -CORS-> example.com/User/GetUserDetails).
如果用户正在运行本地反向代理来访问某些内容,则另一种情况可能会使您面临风险.如果目标站点是恶意的或被破坏的,这将使目标站点能够通过您的用户来危害用户.这是因为用户将使用localhost域访问目标站点.
Another scenario that could put you at risk if the user is running a local reverse proxy to access something. This would enable the target site to compromise the user through yours, should that target site be malicious or be compromised. This is because the user would be accessing the target site with a domain of localhost.
如果确实需要执行此操作,建议您为REST服务使用一个特殊的开发人员帐户,该帐户在访问时仅将Access-Control-Allow-Origin: https://localhost标头添加到您的请求中.这样,您就不会使其他用户面临风险,因为您知道自己仅在https://localhost上运行前端服务器,因此您不会因打开的CORS设置而受到损害.
If you really need to do this I suggest you have a special developer account for your REST service that when accessed adds the Access-Control-Allow-Origin: https://localhost header to your requests only. That way, you are not putting other users at risk because you know you are only running the front-end server only at https://localhost so you cannot be compromised by your open CORS setting.
另一种方法可能是将noonewouldusethis2859282.localhost之类的东西用于您的前端本地副本.然后,您可以安全地添加Access-Control-Allow-Origin: https://noonewouldusethis2859282.localhost标头,因为没有其他人会使用它并且可以免受CORS攻击.
Another way may be to use something like noonewouldusethis2859282.localhost for your local copy of the front-end. Then you can safely add the Access-Control-Allow-Origin: https://noonewouldusethis2859282.localhost header because nobody else would use this and would be safe from CORS attacks.
这篇好文章是转载于:学新通技术网
