为什么同源策略会阻止读取 GET 响应?
Why does the Same Origin Policy prevent reading GET responses?
我在网络上做了一些研究并搜索了一些关于 SOP 的问题以及它减轻了哪些类型的滥用,但大多数答案都集中在防止凭据被盗上。这对我来说很有意义。
我不明白为什么遵循 SOP 规则的浏览器会完全阻止响应,而不是阻止 cookie 和本地存储访问。
换句话说,如果不存在cookies和本地存储,是否还需要阻止读取GET响应?据推测,<img>、<script> 和 <iframe>.
在某种程度上已经发生了这种情况
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
根据RFC 6454:
Although user agents group URIs into origins, not every resource in
an origin carries the same authority (in the security sense of the
word "authority", not in the [RFC3986] sense). For example, an image
is passive content and, therefore, carries no authority, meaning the
image has no access to the objects and resources available to its
origin. By contrast, an HTML document carries the full authority of
its origin, and scripts within (or imported into) the document can
access every resource in its origin.
回答你的问题,即使cookies和本地存储不存在,在文档的上下文中执行未知脚本仍然是危险的。这些脚本可能会使用与授权脚本相同的 IP 发出 XHR 请求,并且表现不佳。
我在网络上做了一些研究并搜索了一些关于 SOP 的问题以及它减轻了哪些类型的滥用,但大多数答案都集中在防止凭据被盗上。这对我来说很有意义。
我不明白为什么遵循 SOP 规则的浏览器会完全阻止响应,而不是阻止 cookie 和本地存储访问。
换句话说,如果不存在cookies和本地存储,是否还需要阻止读取GET响应?据推测,<img>、<script> 和 <iframe>.
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
根据RFC 6454:
Although user agents group URIs into origins, not every resource in an origin carries the same authority (in the security sense of the word "authority", not in the [RFC3986] sense). For example, an image is passive content and, therefore, carries no authority, meaning the image has no access to the objects and resources available to its origin. By contrast, an HTML document carries the full authority of its origin, and scripts within (or imported into) the document can access every resource in its origin.
回答你的问题,即使cookies和本地存储不存在,在文档的上下文中执行未知脚本仍然是危险的。这些脚本可能会使用与授权脚本相同的 IP 发出 XHR 请求,并且表现不佳。