Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
10. What’s all about?
§ Same-origin policy
§ Cross domain requests use-cases
§ Making requests with XHTTPRequest
§ CSRF attacks
§ Simple and not-so-simple requests
§ Cross-domain limitations & Access Control
§ Back-end implementation examples
§ Limitation in Internet Explorer 8, 9
§ Workarounds (proxy, JSONP)
§ Content Security Policy
11. Not-so-simple
and
simple requests
§ Only GET, HEAD or POST
§ No custom headers
§ Content-Type only
application/x-www-form-urlencoded,
multipart/form-data, or text/plain
§ All other will have
preflighted request
http OPTIONS (Origin: http://example.com:81)
200 Access-Control-Allow- ...
direct GET/POST/PUT/DELETE request
as allowed by access headers
application preflighted
12. Access-Control
headers
§ Request always contains an
Origin
§ Allow-Origin can be * for read
requests
§ For modify requests it should
be set manually
§ Allow-Origin can’t be * with
Allow-Credentials: true
Origin: host
Access-Control-Request-Method: put
Access-Control-Request-Headers: …
Access-Control-Allow-Origin: origin | *
Access-Control-Max-Age: 300
Access-Control-Allow-Credentials: bool
Access-Control-Allow-Methods: put, get
Access-Control-Allow-Headers: …
Access-Control-Expose-Headers: …
preflighted
response request
http://www.html5rocks.com/en/tutorials/cors/
13. Prevent attacks
§ Have white list of origins
§ If not possible
use X-CSRF-Token
set header X-CSRF-Token
previous
request
next
request
return X-CSRF-Token
server
validation
server response with new X-CSRF-Token
http://mircozeiss.com/using-csrf-with-express-and-
angular/
14. What’s all about?
§ Same-origin policy
§ Cross domain requests use-cases
§ Making requests with XHTTPRequest
§ CSRF attacks
§ Simple and not-so-simple requests
§ Cross-domain limitations & Access Control
§ Back-end implementation examples
§ Limitation in Internet Explorer 8, 9
§ Workarounds (proxy, JSONP)
§ Content Security Policy
17. Manual
implementation
§ Most probably you will
never need it, but in case
flowchart is under link
below
http://www.html5rocks.com/en/tutorials/cors/
18. What’s all about?
§ Same-origin policy
§ Cross domain requests use-cases
§ Making requests with XHTTPRequest
§ CSRF attacks
§ Simple and not-so-simple requests
§ Cross-domain limitations & Access Control
§ Back-end implementation examples
§ Limitation in Internet Explorer 8, 9
§ Workarounds (proxy, JSONP)
§ Content Security Policy
19. Most loved
browser
§ IE ≤ 7 is not a browser
§ IE10+ is already a browser
§ IE8-9 can be handled with
XDomainRequest
20. Limitation in Internet Explorer 8, 9
Feature detection
CODE
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
//"withCredentials" only exists on XMLHTTPRequest2 objects
xhr.open(method, url, async, user, password);
} else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
//Otherwise, CORS is not supported by the browser
xhr = null;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
21. Limitation in Internet Explorer 8, 9
Things to remember
1. The target URL must be accessed using only the methods GET and POST
2. No custom headers may be added to the request
3. Only text/plain is supported for the request's Content-Type header
4. No authentication or cookies will be sent with the request
5. Requests must be targeted to the same scheme as the hosting page
6. The target URL must be accessed using the HTTP or HTTPS protocols
7. Requests targeted to Intranet URLs may only be made from the Intranet
Zone
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
25. Workarounds
JSONP Limitations
● JavaScript Object Notation is for read, not eval.
● Can’t add custom headers.
● Require ability to modify backend.
● Only GET method.