同源策略

1 定义与原理

1.1 同源定义

Same source: protocol, host, port

If the protocol, host, and port of both URLs are the same, then the two URLs are considered to be of the same origin

Example

http://example.cpm/dir/page.html

http//example.com/dir2/page2.html Homogen

https://example.com/dir/page.html Different protocols and different sources

http://example.com:81/dir/page.html ports are different, and the source is different

https://other.com/dir/page.html The host is different, and the source is different

The domain name and the corresponding IP are also different from each other.

1.2 同源策略

The same-origin policy is a security function of the browser. Client scripts from different sources cannot read and write the other party's resources without explicit authorization.

The same-origin policy limits how documents or scripts loaded from one source interact with resources from another source. This is an important security mechanism for isolating potentially malicious files.

1.3 跨域

Simply understand it is to access non-homologous resources, which can be accessed using HTML tags, or JS. When JS accesses non-same-original, access requests can be sent, but after the server sends the response back, our client's browser does not accept it by default.

1.4 同源策略限制

When non-homology, JS will be subject to the following three behavior restrictions:

Cookies, LocalStorage, and IndexDB cannot be read

DOM cannot be obtained

AJAX requests to send but the browser does not accept the return message

The same-origin policy allows "cross-domain" writing, but does not allow "cross-domain" reading. Write means uplink, send request, send request, read means downlink, accept response, and receive response;

1.5 两种常用的跨域方式

1.5.1 JSONP

Load remote JS, and you can bring data from remote JS in

1.5.2 CORS

Method to add custom fields in HTTP header proposed to solve cross-domain resource sharing

When the browser makes a request, the Origin field is automatically added to the request header. The server verifies the Origin field to determine whether the request is allowed, thereby realizing cross-origin access by the browser.

CORS 的安全问题When the Access-Control-Allow-Credentials in the header of the return packet is True, this indicates that the cookies can be included in the request and sent to the server together, which has security issues.

If the Access-Control-Allow-Origin header is controllable and Access-Control-Allow-Credentials is True, then a controllable website can be used to steal a person's privacy information

When the master station establishes a trust relationship with the sub-site through CORS for resource sharing, if the attacker controls the sub-site, the master station's data can also be obtained.

2 Cookie 与 DOM 中的同源策略

2.1 Cookie

Under the limitation of the same-origin policy, non-homologous sites cannot read cookies to each other, and this restriction also exists in the parent/child domain name.

You can see that the cookies on both sites are not the same

However, the same-origin policy for cookies is that domain can be specified to allow different sites to access each other.

Setting domain breaks the browser's homologous restriction on cookies. You can start through subsites and obtain subsite cookies through subsites.

information

The same-origin policy of cookies does not distinguish between protocol and port

2.2 DOM 树

Under the limitation of the same-origin policy, non-homologous sites cannot obtain DOM from each other. Here, take the example of obtaining DOM between subdomains.

By setting domain, the browser's homologous restrictions on DOM are broken. You can start with the sub-site and modify the DOM tree of the main site.

3 CORS 与 CSRF

相同点：All need to rely on third-party websites

All need to use AJAX asynchronous process

User login is usually required

不同点：Third-party websites can use CORS vulnerabilities to read sensitive information from victims

Third-party websites can use CSRF vulnerabilities to prompt victims to complete sensitive operations of injecting and transfers.

Generally, there are CSRF vulnerabilities in places with CORS vulnerabilities.