如果没有同源策略,恶意站点可以读取 CSRF 令牌吗?
Without Same Origin Policy could an evil site read the CSRF token?
来自关于同源策略的维基百科
https://en.wikipedia.org/wiki/Same-origin_policy
The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.
这部分我理解但是现在...
The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie ...
因为会话 cookie 被标记为 httpOnly?
... it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.
同源策略禁止跨源读取。因此,如果我们假设不强制执行 SOP,那么恶意站点可以从响应中 读取 CSRF 令牌?这就是维基百科说即使 CSRF 保护也无效的原因吗?
是的,你已经明白了。如果没有 SOP,恶意脚本会简单地请求任何具有 CSRF 令牌的页面,读取它,然后使用该令牌构建其不安全请求。
因此,在浏览器使用来自外部域的请求发送身份验证 cookie 的世界中,SOP 和 CSRF 保护都是保护用户所必需的。
来自关于同源策略的维基百科
https://en.wikipedia.org/wiki/Same-origin_policy
The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.
这部分我理解但是现在...
The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie ...
因为会话 cookie 被标记为 httpOnly?
... it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.
同源策略禁止跨源读取。因此,如果我们假设不强制执行 SOP,那么恶意站点可以从响应中 读取 CSRF 令牌?这就是维基百科说即使 CSRF 保护也无效的原因吗?
是的,你已经明白了。如果没有 SOP,恶意脚本会简单地请求任何具有 CSRF 令牌的页面,读取它,然后使用该令牌构建其不安全请求。
因此,在浏览器使用来自外部域的请求发送身份验证 cookie 的世界中,SOP 和 CSRF 保护都是保护用户所必需的。