问题
If CORS is properly setup on a server to only allow a certain origins to access the server, is this enough to prevent XSRF attacks?
回答1:
To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.
回答2:
No!
CORS enables sharing between two domains where XSRF is attacking method that does not depend on CORS in anyway.
I don't understand what you mean by "CORS is properly setup" but when attacking with XSRF, browser don't ask for CORS headers on server.
CORS is not security :)
回答3:
No.
The Same Origin Policy (which CORS allows you to punch selective holes through) prevents third party sites from masquerading as a user in order to read (private) data from another site.
A Cross Site Request Forgery attack is when a third party site masquerades as a user to submit data to another site (as that user). It doesn't need to read the response back.
回答4:
Maybe
Man this is a tough one, and it's far more complex than the others have provided for. So "maybe"
First, CORS is intended to "relax" same-origin-policy which is a default that prevents a specific type of CSRF attack. But, same-origin doesn't apply on all kinds of requests.
So the longer the session needs to time out and the more the user surfs around untrusted sites, the higher the risk is to pop onto one with a CSRF attack on it. Any tag which fires a request to an external resource can be used to perform a hidden CSRF attack – including images, link tags, some meta tags, embed and object tags and so on. Same goes for attributes which load background images or similar. You can even check if you site has been validated by someone if you replace the DTD file in the very header of the applications markup with a resource on your servers – that’s CSRF too. source
For an example of that, check this..
<img src=victim.bank/check.png?account=...>; to get a check photo from a vulnerable bank site, without generating origin headers or preflighted requests. [...] The photos will be displayed, and the attackers can get the photo data using Javascript and send them back. source
However, at least one source suggests that perhaps in the future web servers will return images with Access-Control-Allow-Origin (CORS) headers on images that will stop browsers from rendering the image. This will prevent CSRF-GET attacks of this sort..
If the browser checks the Access-Control-Allow-Origin header in the response and refuses to display it, it will be an effective defense. source
回答5:
Actually CORS does contribute to security. CORS helps a lot in relation to XSS and CSRF attacks between different hosts. If a website has an XSS vulnerability and the attacker wants to use it to send a malicious request to another webpage through xmlhttprequest, thanks to CORS he is not going to be able to.
来源:https://stackoverflow.com/questions/19793695/does-a-proper-cors-setup-prevent-xsrf