What are the differences between CSRF and CORS?

已于 2023-03-28 13:54:12 修改
阅读量294 收藏
点赞数
分类专栏: 杂记 文章标签: csrf 前端 CORS
于 2022-10-09 12:56:38 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/u011069294/article/details/127223932
版权

CSRF is a vulnerability and CORS is a method to relax the same-origin policy. CORS is something you might want to use (in certain circumstances) whereas CSRF is an undesirable design mistake.

There are vulnerabilities associated with the CORS mechanism. For example you might accidentally allow all websites to include scripts (wildcard *) which would enable all sorts of nasty things that resemble CSRF attacks but also other attacks such as stealing information (incl. CSRF tokens) and create injections that perform like XSS or even harness the resources of the poorly configured service. It all depends on the application and the exploit. But poorly configured CORS certainly enables CSRF in certain cases where it would not be possible otherwise.

Sometimes CORS is also associated with the protection methods of how to prevent CSRF attacks. The most typical way to mitigate the attack is to use anti-CSRF tokens but it is also possible to prevent the attack by checking the Origin: or Referer: header which is related to CORS. But it is useful to notice that this is more complicated than it sounds and it is not a good idea to assume that good CORS rules will prevent all CSRF attacks.

Access-Control-Allow-Origin which is generally called CORS(Cross-Origin Resources Sharing) opens doors for other specific domain who wants to request specific content. (Access-Control-Allow-Origin等价于CORS)

从站点a去请求站点b的时候,就是跨站点请求,浏览器会禁止跨域请求,报下面的错:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://xxx/.
解决方法: 服务器设置Access-Control-Allow-Origin: *

  1. CSRF 是一种容易被黑客攻击的漏洞,CORS是一种relax同源策略的手段(也就是允许部分不同源的网站访问你的API)。
  2. CORS的使用可能导致CSRF。
  3. 有时候也使用CORS相关的概念来防止CSRF。例如使用检查Origin和Referer 这个两个header是否一致,或者是否存在,来防止CSRF。而Origin和Referer是CORS相关的。
    我们的产品中就自己实现了CSRFStrictFilter来防止CSRF。主要做了下面的三个检查:
    • check if the http request is CSRF safe
      1. if it is strict CSRF checking, Referer attribute in HTTP request header can not be null
      1. Host attribute in HTTP request header can not be null
      1. Host and Referer should match, i.e., from the same origin
    • Client will be redirected to /zosmf/errorPage.jsp with the exception code if CSRF checking failed.

https://www.quora.com/What-are-the-differences-between-CSRF-and-CORS

simpleGq
关注
专栏目录
nuxt.js使用教程_使用Nuxt.js和Django构建通用应用程序
culiu9261的博客
07-22 977
nuxt.js使用教程 介绍 ( Introduction ) The advent of modern JavaScript libraries such as React.js and Vue.js has transmogrified Front-end web development for the better. These libraries ship with wonderful f...
nuxt.js使用教程_如何使用Nuxt.js和Django构建通用应用程序
08-15 501
nuxt.js使用教程 介绍 (Introduction) The advent of modern JavaScript libraries such as React.js and Vue.js has changed front-end web development for the better. These libraries ship with features including S...
vue-router报错
qq_45142260的博客
02-17 2341
vue路由报错,vue-router 报错内容:Catch all routes ("*") must now be defined using a param with a custom regexp.
一份来自于全球的前端面试题清单,看看老外喜欢考哪些题(部分有答案)
weixin_33928137的博客
11-05 7817
  方括号中的蓝色标题是题目的出处,有些题目在原址内包含答案。搜集的大部分外国前端面试题没有做翻译,单词并不难,大家应该看得懂。题目旁边的方括号内, 简单记录了与此题相关的知识点。总共大概一千多道,包含国内的题目,如有错误,欢迎指正。有些原链可能已无法打开,有些可能需要代理才能查看。 一、HTML 【HTML related interview questions】 1、What is do...
转载:Websockets 101
weixin_30471561的博客
05-16 726
Websockets 101 转:http://lucumr.pocoo.org/2012/9/24/websockets-101/ written on Monday, September 24, 2012 Out of curiosity I taught theFireteampresence server websockets as a protocol in addition ...
springmvc4开发rest
weixin_34235457的博客
07-14 207
Spring MVC 4 RESTFul Web Services CRUD Example+RestTemplate Created on:  August 11, 2015  | Last updated on:  March 12, 2017   websystiqueadmin In this post we will write a CRUD Restful WebService usi...
Laravel文档整理
09-09 2340
介绍关于LTS与非LTS的选择:从产品生命周期上去考虑: ● 如果是商业项目的话,要走稳定路线,建议选择 LTS 长期支持版,可以避免掉入「更新大黑洞」。 ● 如果是个人项目的话,要走激进路线,推荐使用最新版的 Laravel,主要有两个理由: a. 跟上技术的趋势,对保持个人竞争力很重要,如果你不想被时代淘汰的话; b. 知道新框架的技术决策,即使你在开发
# Python3 面试试题--Python语言特性
weixin_43097301的博客
02-17 2253
Python语言特性 1 Python的函数参数传递 看两个例子: a = 1 def fun(a): a = 2 fun(a) print a # 1 a = [] def fun(a): a.append(1) fun(a) print a # [1] 所有的变量都可以理解是内存中一个对象的“引用”,或者,也可以看似c中void*的感觉。 通过id来看引用a的内存地址可以...
What are the differences between least-squares and Kalman filtering
03-18
### 最小二乘法与卡尔曼滤波的区别 在GPS导航系统和其他位置定位技术中,两种最常用的估计方法是最小二乘法(Least Squares, LS)和卡尔曼滤波(Kalman Filtering, KF)。这两种方法虽然表面上看起来有很大区别,但...
The Differences Between Chinese and American Cultures from the P
09-14
The Differences Between Chinese and American Cultures from the Perspective of Politeness Utterances.zip
Analysis of the Differences between English and Chinese Language Structure.pdf
08-01
英语与汉语的语言结构差异是一个复杂且广泛的话题,涉及语言学的多个层面。首先需要明确的是,任何两种语言之间的结构差异都是各自文化和思维模式差异的反映。这一点在英汉语言对比中尤为明显。...
MCM/ICM:Judging Results and Designations——What are the differences between the designations?
Mr.鹏
04-29 1111
此篇博客用来介绍美国大学生数学建模竞赛(MCM/ICM)最后的评判结果(Final Designation: )的名称和理由。 文章数据来源:IX. Judging Results and Designations——What are the differences between the designations?
text/plain 和application/json区别、Get参数带有特殊字符,需要encode、encodeURIComponent和encodeURI的区别
simpleGq的专栏
03-31 4496
如果用text/plain返回: 每个反斜杠/之前都会自动给加上一个正斜杠。As application/json: 不会自动加。
ubuntu16.04部署kubernetes1.6.0+kubernetes Dashboard+EFK+Prometheus+Grafana+Heapster
simpleGq的专栏
04-23 3879
首先教你一步步安装kubernetes1.6.0,在完成kubernetes1.6.0部署之后接着进行kubernetes Dashboard安装、 EFK部署、Heapster部署、Prometheus部署、Grafana+Alertmanager部署;同时还介绍了ubuntu server中vpn的使用。 Grafana+Alertmanager的部署在安装kube-kubernetes的时候,一起进行。
FTP主动模式(passive)和被动模式(port)的区别
simpleGq的专栏
03-09 3580
FTP协议会在客户端和服务端创建两个连接,一个用于命令传输,一个用于数据传输。 主动模式和被动模式是面向服务端和数据传输来讲的。对于命令传输,都是客户端主动连接服务端。 主动模式:客户端创建一个listen端口,服务端主动连接,建立数据传输通道 被动模式:服务创建一个listen端口,客户端主动链接,建立数据传输通道。 站在服务端的角度: 主动:客户端你来建立端口,我来链接。 被动:我建立好端口了,你来连接我。 ...
SSH key的生成,到底是在客户端生成还是在服务端生成?
simpleGq的专栏
05-12 2453
SSH key是一对公钥和私钥。 大部分情况下,都是在客户端生成这对key,然后将public key放到服务端。然后客户端就可以免密登录服务器了。(大多数情况都是使用的这种方法) 但是,其实也是可以在服务端生成这对key的,然后将private key放到客户端。这样客户端也可以直接连接服务端。 其实这两种方法没什么区别。在进行验证的时候,客户端拿着的都是私钥,服务端拿着的是公钥。 ssh key只不过是两个文件而已,在哪生成没什么区别。只要保证客户端拿着的都是私钥,服务端拿着的是公钥就行。 ...
Chrome浏览器禁用同源策略
最新发布
simpleGq的专栏
12-22 1960
【代码】Chrome浏览器禁用同源策略。
.gitignore和.gitattributes遇到的坑
simpleGq的专栏
04-16 1704
.gitignore都只对没有被git track的文件起作用。如果修改了一个文件已经被git track,再去修改.gitignore,想要忽略它,是不起作用的。 .gitattributes就不会,对于已经被git track的文件,后面修改.gitattributes也会对已经被git track的文件起作用。 ...
What's the differences between traditional and digital cameras?
04-01
There are several differences between traditional and digital cameras: 1. Image Processing: Traditional cameras use film to capture pictures, while digital cameras use electronic sensors to capture and process images. The film in traditional cameras needs to be developed and printed, while digital cameras use memory cards or internal storage to store images. 2. Image Quality: The quality of the images captured by a traditional camera is dependent on the type of film used, while digital cameras offer a range of resolutions and image quality settings. 3. Cost: Traditional cameras require film and processing, which can be expensive over time. Digital cameras have a higher upfront cost, but the cost of taking and storing images is significantly lower. 4. Convenience: Traditional cameras require physical film to be loaded and removed, while digital cameras can store thousands of images on a single memory card. Additionally, digital cameras offer features like instant image review, which allows users to see their pictures immediately after taking them. 5. Features: Digital cameras offer a range of features like zoom, image stabilization, and automatic modes that make it easier for users to take high-quality pictures. Traditional cameras offer fewer features and require more technical knowledge to operate effectively.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值