What is bad is that the server will allow everyone to produce cross-domain ajax? We will process these requests in the same way as from ordinary customers and all the cases. What am I missing?
|
2 answers
By the fact that such a "vsepolissayuschaya" policy:
significantly reduce the level of security on the web;
against the interests of people who create something other than trash on the network.
Suppose Vasya is using the popular site A , where he has an account and some personal / sensitive data. And here Vasya opens site B in another browser tab, made by Petya.
Peter - bit sly. He placed on the page of his site a script that accesses site A. If a visitor to the pet site is authorized there, Peter easily steals someone else's data, and can also change and delete it.
In the real world, what prevents such Peteas from doing this? Same-origin policy!
Another example.
Ivan wrote down on his website a page where he regularly uploads his works, interesting to a huge number of visitors. Ivan's site provides original content and works quickly, visitors are satisfied.
And suddenly, Ivan notices that his server is not coping, visitors complain. Worse, the Petit website appeared in the search engine with copies of Ivan’s content — and not just with attribution of authorship, but also surrounded by advertising like “porn-with-burros-download-now.”
Having seen the logs, Ivan sees that his server is overwhelmed with requests from visitors to Petit’s site (because he logged on to the jQuery parser with a 500ms execution interval).
In the real world that helps protect content from stupid schoolchildren with jQuery and saves from unnecessary load? Same-origin policy!
yar85 yar85
3.279 2 silver marks 14 bronze marks
- Thanks for the answer! I want to clarify. It turns out when Vasya enters site B, for some reason, the script will be executed and a transition to site A will occur. This site will return Vasi's data .. but where? He will return them to Vasya, not to Pete. The data will return to Vasya's browser, how can you access it? - Semerkin 2:51 pm
- @Semerkin, the data will return to a script that can do anything with this data. Well, look: with one request, the script receives data from the server of site A, the second sends it to the server of site B (which, for example, will put it into the database. Or, in response, the script will command to perform some actions — for example, send an advertising message to another user site A). At the same time, no transitions are performed, and the user will not notice any data transfer at all if he isn’t browsing the web console. - yar85 6:36 pm
|
If the server allows CORS (Cross-origin resource sharing) , then it becomes possible to use the data stored in the browser to access the personal information of users.
For example, a Cookie is stored in the browser with a user session, then it is possible to perform actions on behalf of this user by sending requests on their own. One type of attack is called CSRF .
There are many ways to protect against such attacks, but for security reasons, many servers simply prohibit cross-domain access.
Komdosh komdosh
8,873 13 silver marks 41 bronze badge
- Do not quite understand ... How can I use the data in the browser? The browser is still managed by the same client, how does the cross ajax interfere with this? - Semerkin
|