gpt4 book ai didi

csrf - 如果没有同源策略,一个邪恶的站点可以读取 CSRF token 吗?

转载 作者:行者123 更新时间:2023-12-02 01:11:52 47 4
gpt4 key购买 nike

来自维基百科关于同源政策
https://en.wikipedia.org/wiki/Same-origin_policy

The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.



这部分我理解但现在......

The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie ...



因为 session cookie 被标记为 httpOnly?

... it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.



同源政策禁止跨源 阅读 .因此,如果我们假设没有执行 SOP,恶意站点可能会 阅读 响应中的 CSRF token ?这就是维基百科说即使是CSRF保护也不会有效的原因吗?

最佳答案

是的,你已经明白了。如果没有 SOP,恶意脚本将简单地请求任何具有 CSRF token 的页面,读取它,然后使用该 token 构建其不安全的请求。

因此,在浏览器发送带有来自外部域的请求的身份验证 cookie 的世界中,SOP 和 CSRF 保护对于保护用户都是必要的。

关于csrf - 如果没有同源策略,一个邪恶的站点可以读取 CSRF token 吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44927978/

47 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com