I am trying to understand how the CORS is working.
As I have learned, when AJAX requests from page www.a.com to the page www.b.com , it is < Strong> www.b.com determines whether the request should be allowed or not
But what is really safe on the client in such a model? For example, if a hacker succeeds in creating XSS script injection on my page, then the user makes an AJAX request to store the data. A hacker domain will definitely allow such requests.
I thought www.a.com should decide which domains should request the request. So within the principle of access-control-permission-origin in the principle, I would like to have a complete list of domains with permission for those AJAX Correspondence requests.
Can anyone say that security issues that handle current CORs implementation
As I have learned from this post, when AJAX requests to pagewww.a.com
towww.b.com
, then it < Code> www.b.com that determines whether the request should be allowed or not.
Absolutely no request is not blocked.
Javascript running on www.a.com
by default is not allowed to respond to www.b.com
.
CORS allows www.a.com
to allow javascript to use this feedback.
But what is really safe on the client in such a model?
Using the author's browser, the author of www.a.com
from reading data from www.b.com
Stops. Which has visited both sites and has been certified on www.b.com
(and thus has access to data that is not public).
For example, Alice has been logged in to Google. Alice visited malicious.example
which uses XMLHttpRequest to access data from gmail.com
. Alice has a GMail account, so a list of the most recent emails in its inbox in response prevents reading the same basic policy malicious.Conclusion
.
For example, to create XSS script injection on my page is the success of the hacker, it makes AJAX request for it to store user data then the hackers domain such requests Will allow to ensure.
Correct. XSS is a separate security problem that needs to be addressed on the source (i.e. www.a.com
and not in the browser)
Comments
Post a Comment