Access-control-allow-origin cross-domain Request security vulnerability

Source: Internet
Author: User

The latest in the standard is to implement HTTP cross-domain requests, cross-origin Resource sharing, is the cross-domain target server to return a series of headers, through these headers to control whether the cross-domain consent.

These headers are:

  • 4 syntax
    • 4.1  Access-control-allow-origin  http Response Header
    • 4.2  Access-control-max-age  http Response Header
    • 4.3  Access-control-allow-credentials  http Response Header
    • 4.4  access-control-allow-methods  http Response Header
    • 4.5  access-control-allow-headers  http Response Header
    • 4.6  Origin  http Request Header
    • 4.7  Access-control-request-method  http Request Header
    • 4.8  Access-control-request-headers  http Request Header

There are some in the request package and in the Response package.

One of the most sensitive is the access-control-allow-origin Header, which is used to check whether the cross-domain request can be passed. (Access Control Check)

The process of implementing a cross-domain is roughly as follows:

A cross-domain request is initiated from http:// www.a.com/test.html , with the requested address, HTTP/. www.b.com/test.php, if Server B Returns a header like the following

access-control-allow-origin:http://www.a.com, the cross-domain request from http://www.a.com/test.html will be passed.

In this process, the request will also bring this header:origin:http://www.a.com

But what's more deadly here is that the Access-control-allow-origin value can be a wildcard character *

If it is *, you can receive a request from any source origin.

I can already imagine the horrible consequences of this feature being abused by programmers and used to make a backdoor!

On the Firefox 3.1 Beta 2 grab the package as follows:

GET http://www.b.com/test.php http/1.1
Host:www.b.com
user-agent:mozilla/5.0 (Windows; U Windows NT 5.1; ZH-CN; RV:1.9.1B2) gecko/20081201 firefox/3.1b2 paros/3.2.13
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language:zh-cn,zh;q=0.5
accept-charset:gb2312,utf-8;q=0.7,*;q=0.7
keep-alive:300
Proxy-connection:keep-alive
Referer:http://www.a.com/test.html
Origin:http://www.a.com
Cache-control:max-age=0

http/1.1 OK
Date:thu, 06:28:54 GMT
server:apache/2.0.63 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Access-control-allow-origin: *
Content-length:28
Content-type:text/html

Cross Domain Request test!

The two pieces of code are roughly the following:
Www.a.com/test.html:

-Shrinkage HTMLCode Run code[If the run is ineffective, save the source code as an HTML file]<script>
var client = new XMLHttpRequest ();
Client.open ("GET", "http://www.b.com/test.php");
Client.onreadystatechange = function () {}
Client.send (null);
</script>

www.b.com/test.php: Cross Domain Request test!

In addition to this header, but also through a number of other headers to control such as Method, time, etc., you can refer to the standard, do not repeat this.

Cross-domain requests cannot access Document.cookie objects for security reasons

For IE8 Beta 2, this cross-domain request is implemented through Xdomainrequest , such as code similar to the following:

-Shrinkage JavaScriptCodevar request = new Xdomainrequest ();
Request.open ("GET", Xdomainurl);
Request.send ();

Also requires the other server to return this header.

IE developers released a small video today: http://ieblog.members.winisp.net/images/XdomainRequest-small.wmv

Currently, the requirement to support this cross-domain implementation

Firefox 3.1 Beta2

IE 8 Beta2

Wait until there is a time for popularization.

Finally, add a Firefox3.1 to implement the cross-domain documentation:
Https://developer.mozilla.org/En/HTTP_access_control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.