1.同源策略 1.1浏览器器同源策略概念: 同源策略略(Same origin policy)是⼀种约定,它是浏览器器最核⼼心也最基本的安全功能,
如果缺少了了同源策略略,则浏览器器的正常功能可能都会受到影响。
当⼀个浏览器的两个tab页中分别打开百度和谷歌的页面,
同源策略是浏览器的行为,是为了保护本地数据不被JavaScript代码获取回来的数据污染,因此拦截的是客户端发出的请求回来的数据接收,
2.跨域 2.1跨域: 浏览器同源策略1995年,同源策略由 Netscape 公司引⼊浏览器。⽬前,所有浏览器都实行这个策略。
最初,它的含义是指,A⽹页设置的 Cookie,B⽹页不能打开,除非这两个⽹页”同源”。所谓”同源”指的是”三个相同”:
1 2 3 4 5 6 协议相同 http https 域名相同 www.aaa.com 端⼝口相同 80 81 ⼀句话:浏览器从⼀个域名的⽹页去请求另⼀个域名的资源时,域名、端口、协议任⼀不同,都是跨域. 浏览器器控制台跨域提示: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
2.2跨域的解决方法: 1 2 3 4 5 6 7 8 以下3种方法: 1.JSONP 2.⻚面这层再包装一层服务,目前最多就是nodejs 3.Http响应头配置允许跨域: 3.1nginx代理理服务器 3.2后端程序代码配置
3.2后端代码实例:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 import org.springframework.beans.factory.annotation.Value;import org.springframework.core.Ordered;import org.springframework.core.annotation.Order;import org.springframework.stereotype.Component;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;@Component @Order(Ordered.HIGHEST_PRECEDENCE) public class RestCorsFilter implements Filter @Value("${allow.origin.regex:}") private String originRegex; public RestCorsFilter () } @Override public void doFilter (ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException, IOException HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest request = (HttpServletRequest) req; response.setHeader("Access-Control-Allow-Origin" , originRegex); response.setHeader("Access-Control-Allow-Credentials" , "true" ); response.setHeader("Access-Control-Allow-Methods" , "*" ); response.setHeader("Access-Control-Max-Age" , "1800" ); response.setHeader("Access-Control-Allow-Headers" , "*" ); chain.doFilter(req, res); } @Override public void init (FilterConfig filterConfig) } @Override public void destroy () } }
3.CORS(跨域资源共享)漏洞 3.1cors: CORS(跨域资源共享)(Cross-origin resource sharing)WEB应用程序可以通过在HTTP增加字段来告诉浏览器,哪些不同来源的服务器是有权访问本站资源的,当不同域的请求发生时,就出现了跨域的现象。当对CORS配置不当的时候,就导致资源被恶意操作,也就发生了我们熟悉的CORS漏洞。
修复CORS漏洞,需要Access-Control-Allow-Origin和Access-Control-Allow-Credentials两个参数共同设定:
Access-Control-Allow-Origin Access-Control-Allow-Credentials 结果 * true 不存在漏洞 <all-host></all-host> true 存在漏洞 <safe_host> true 安全-不存在漏洞 null true 存在漏洞
Null不存在漏洞,null存在漏洞。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 import org.springframework.beans.factory.annotation.Value; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.stereotype.Component; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @Component @Order(Ordered.HIGHEST_PRECEDENCE) public class RestCorsFilter implements Filter { //允许跨域访问的主体。allow.origin.regex的值在yml中设置为字符串:"Null" @Value("${allow.origin.regex:}") private String originRegex; public RestCorsFilter() { } @Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException, IOException { HttpServletResponse response = (HttpServletResponse) res; HttpServletRequest request = (HttpServletRequest) req; response.setHeader("Access-Control-Allow-Origin", originRegex); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Methods", "*"); response.setHeader("Access-Control-Max-Age", "1800"); //或 response.setHeader("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS"); response.setHeader("Access-Control-Allow-Headers", "*"); chain.doFilter(req, res); } @Override public void init(FilterConfig filterConfig) { } @Override public void destroy() { } }