https://stackoverflow.com/questions/18366257
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI think the 2nd recommendation is worded poorly. They are both saying that you should avoid echoing back the Origin header. By "echoing back", I think they mean blindly putting the value of the Origin header in the Access-Control-Allow-Origin header, without any intermediate checks (such as a whitelist). Also note that these are recommendations and not absolute rules, and should be interpreted through the lens of your needs. The more open and public the API is, the more acceptable a * value is.
Contradiction in OWASP CORS recommendations
题
I was puzzled to see this contradiction on the OWASP site cheatsheet for CORS:
- Take special care when using Access-Control-Allow-Credentials: true response header. Whitelist the allowed Origins and never echo back the Origin request header in Access-Control-Allow-Origin.
- Allow only selected, trusted domains in Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing any domain (either through * wildcard or echoing the Origin header content).
There's a lot of information floating around out there that you should echo back the Origin request header so I can't image a reason for not doing that other than a public API where you would use a * wildcard. My point is that if you whitelist the origin's domain, as recommended here, then you can protect against spoofing the Origin header. Am I missing something? Is this just a typo on that cheatsheet?
解决方案
不隶属于 StackOverflow
