javascript - Why is CORS without credentials forbidden? -

-

I am trying to understand why cross domain requests are not allowed without credentials (by default, Em > Access-control-permission-origin header). All are very straightforward in case of a request with credentials - you can complete some malicious actions on any other site, for example on Facebook, if you have logged in on it

for example This request for: 

  xhr = new XMLHttpRequest (); Xhr.open ('GET', 'http://www.google.com'); Xhr.send ();   
 Generates an error (I used to execute it from this site in Chrome's console):  
 
 XMLHttpRequest can not be loaded. No 'access-control-permission-generation' header is available on the requested resource, hence "origin" is not allowed.   
 Therefore, the server may need to send an appropriate header (such as  access-control-permission-origin: * ) for this request.  
 This is just a simple request and no cookie is sent. What does this restriction mean? If such a CORS is allowed, then can there be security problems?  
  Without credentials  - I mean the default settings for XMLHTTPRequest without sending cookies are credentials = false, meaning that no cookie is sent in the request -.   
 
 
 I will go ahead and steal with security. SE  
 The main concern here is access control based on the network topology Suppose that you run an HTTP service on your home network (in fact, you do almost certainly, if your router has a web interface ). We call this service as  R , and you can get a service from the only machine connected to your home router.  
 When your browser  evil.example.com , that site provides a script to your browser, asking to bring it the contents of  R  And sends it back to  evil.example.com . It is potentially bad, even without credentials, because it is a breach of the notion that no one outside your local network can see the services running inside your local network. The same-basic policy prevents this from occurring if the same-basic policy came into play only when it was involved in credentials, then it would open the possibility of circumventing topology-based security.  
 Also consider some public services allowing access to the IP address:  
     
  •  The Oxford English Dictionary comes from universities that subscribe to their online entries. Has restricted access to IP addresses  
  •  The United Kingdom prohibits access to BBC content from within the IP address  >  
     here In all the cases listed, any The Raujhr can be used as an unwitting proxy for a site that offers this script.

Comments

Post a Comment

Popular posts from this blog

java - ImportError: No module named py4j.java_gateway -

-
I'm trying to call the Python using the Java program py4j . I've been installing the plug-in Eclipse and test name Piidvi project. I'm trying to execute the following part of the code found on py4j webpage: Import from py4j.java_gateway to JavaGateway, java_import gateway = JavaGateway () jvm = gateway.jvm java_import (jvm, '' Org.eclipse Kkorkrisorsej. * ") Vrkspes_rut = Jvankresourkesplginkgetvrkspas (). GetRoot (Gateway .help (workspace_root, '* Projects *') project_names = [project.getName () (for projects workpace_root.getProjects))] print (Projekt_nam) But I There is an error in import. I have checked that the P4JJ is present in the Jar Eclipse plugin directory. Can anyone help please? I had to install the py4j application
Read more

python - Receiving "KeyError" after decoding json result from url -

-
I am new to Python I am trying to parse JSON result from a URL. Basically, I was using the following: response = urllib.request.urlopen (url) json_obj = json.load (response) It should be a stroke "str 'not' bytes' in the lines of a given" JSON object, so after searching on the StackoverView Flo, I decode the response in this way: F = urllib.request.urlopen (Url) charset = f.info (). Get_param ('charset', 'utf8') data = f.read () decoded = json.loads (data.decode (charset)) If I print "decode" I is as follows: { 'link': { 'summary data': 'https: // localhost / piwebapi / streams / p0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / summary' 'value': 'https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTExNQU42NDIwXFNJTlVTT0lE / price ',' InterpolatedData ':' https: // localhost / Piwebapi / streams / P0_7qHaW4UHU-RlCaz8tpasAAQAAAAU0hJTE...
Read more

.net - Creating a new Queue Manager and Queue in Websphere MQ (using C#) -

-
"itemprop =" text "> I am writing applications that use WebSphere MQ to send messages. My unittests (for flow), I want to verify that I have put the correct message on the response queue. I am trying to figure out how to do this. My main obstacle is that I think it might be scary to clear the queue before running in my queue because the same queue can be used by other applications, I thought a decent solution would be a new line The manager will remove the queue for my solidarity and after using it. So my question is: Is it possible to use C # by using queue manager and queue? After the For future reference and future people, who want to make queues. I thought how to make and remove IBM MQ QE (not quenhers) with PCM messaging. It is not very simple, but it can be done. We have implemented it in a library and it is being used to create and delete commands before and after integration tests. The most important part of the code in this library is shown in the...
Read more