javascript - Ask about CORS security

Question

During the interview, I was asked a question about CORS security, but I couldn’t answer it. I would like to ask everyone for advice. CORS sets Access-Control-Allow-Origin on the server side. If it is not set to *, isn't it true that only the specified domain can initiate a request? Otherwise, it will be intercepted by the browser. I have seen that http headers can be forged... .

巴扎黑 · Answer

https://developer.mozilla.org... Browser Compatibility

高洛峰 · Answer

On the contrary, I think CORS intersecting with JSONP is a safer cross-domain method and a standard cross-domain method.

Access-Control-Allow-Origin is a domain whitelist that allows requests. Only those in this domain will the server unify cross-domain requests. If the whitelist is set appropriately, CSRF attacks can be avoided.

I think this question may require you to consider the problems you face if Access-Control-Allow-Origin is *.

The ones set to * are generally public APIs. In order to avoid frequent requests or DDOS, there are usually additional steps for key verification and the frequency and number of requests are limited.

Also, although CORS does not transmit cookies by default, it can be allowed by setting Access-Control-Allow-Credentials to true, which may also lead to the risk of CSRF attacks.

Php8, I'm coming too

Learn website layout in 30 minutes

Shangguan Oracle Beginner to Proficient Video Tutorial

Your first line of UNI-APP code

Flutter from scratch to app launch

Brother Lian New Linux Video Tutorial

AXURE 9 Video Tutorial (Suitable for Product Manager Interactive Product Design UI)

Zero Basic Proficiency PS Video Tutorial

16 day UI video tutorial to get you started

PS Techniques and Slicing Techniques Video Tutorial

Alibaba Cloud Environment Construction and Project Launch Video Tutorial

Overview of Computer Networks - Basic Knowledge that Programmers Must Master

Essential Tutorial for Programmers - HTTP Protocol Explanation

Websocket Video Tutorial