| CARVIEW |
Select Language
HTTP/2 200
date: Thu, 31 Jul 2025 00:03:20 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"6ffd0f9dd433c1ea1c08dbe32148177a"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=y3hbDHnjTKGWoIi0ToUtEAlVViVIEuD4XU%2BUPGsErvh%2BemJeEWr2%2B9u5WHaJpoWJQHmF8J8HOlaJiMaGe6RsX9cRieB%2Fe90rPdHgaXgb202yU4%2BqrsMNWWEf9Wk%2FdDPjH%2F%2B%2BMmmoZK6ZnLCjfE5v1LGVMdTNTJQWFj9UL7gb2cojzeh5JSxslwKHJ%2FaJj8zn1VkRKZTePn%2BS9aoJz0wqH3zUEO12mAJvY3h3l%2BKd4N7oE1VqJZl4lfvUIMe4MEglCH3CidVHK6wec%2FCFddMnuQ%3D%3D--%2BCWIPLeNRjvsLzx5--GqaYmEcUfUbGjCckLRJRKw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1744401333.1753920200; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 00:03:20 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 31 Jul 2026 00:03:20 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: EAE6:FA5FC:D9AA5:149A1A:688AB2C8
CORS · JoyChou93/java-sec-code Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 697
CORS
JoyChou edited this page Dec 12, 2019
·
10 revisions
前端发起AJAX请求都会受到同源策略(CORS)的限制。发起AJAX请求的方法:
- XMLHttpRequest
- JQuery的
$.ajax - Fetch
前端在发起AJAX请求时,同域或者直接访问的情况下,因为没有跨域的需求,所以Request的Header中的Origin为空。此时,如果后端代码是response.setHeader("Access-Control-Allow-Origin", origin),那么Response的header中不会出现Access-Control-Allow-Origin,因为Origin为空。
<html>
<script src="https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js">
</script>
<body>
<script>
$.ajax({
type: "GET",
url: "https://localhost:8080/cors/vuls2",
success: function(data) {
alert(data);
},
error: function(msg) {
alert(msg)
}
});
</script>
</body>
</html>
- 同域的请求会自动带上Cookie。
- Origin为空,表示是同域或直接访问,视为安全情况。做安全限制需要注意空Origin,不要一起限制了。
- 后端设置
Access-Control-Allow-Origin为*的情况下,跨域的时候前端如果设置withCredentials为true会异常。The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. - 后端设置
Access-Control-Allow-Credentials为true,表示跨域请求后端接口时,允许带上Cookie。此时,前端必须设置withCredentials为true。同时,由于Cookie本身也受同源策略限制,所以Cookie要实现跨域,还需要满足:- 相同的一级域名(比如joychou.org)
- Cookie的domain设置为
.joychou.org
- 不能实现a.com带上Cookie跨域请求b.com,b.com的请求中头的Cookie不会存在a.com的Cookie。
测试在xxx.joychou.org跨域请求test.joychou.org,并且成功在test.joychou.org请求头里带上xxx.joychou.org的Cookie。相关步骤:
- xxx.joychou.org设置一个
aaa=bbb,domain为.joychou.org的Cookie - xxx.joychou.org的test.html,前端代码设置
withCredentials为true - test.joychou.org后端设置
Access-Control-Allow-Credentials为true - test.joychou.org后端设置
Access-Control-Allow-Origin为Origin里的值
https://xxx.joychou.org/test.html 代码:
<html>
<script src="https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js">
</script>
<body>
<script>
$.ajax({
type: "GET",
url: "https://test.joychou.org",
xhrFields: {
withCredentials: true
},
success: function(data) {
alert(data);
},
error: function(msg) {
alert(msg)
}
});
</script>
</body>
</html>存在漏洞配置:
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
add_header 'Access-Control-Allow-Credentials' 'true';
or
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
add_header 'Access-Control-Allow-Credentials' 'true';
修复方案需要限制origin:
add_header 'Access-Control-Allow-Origin' https://test.joychou.org;
add_header 'Access-Control-Allow-Origin' https://test.joychou.org;
Clone this wiki locally
You can’t perform that action at this time.