*Origin: scheme(protocol), hostname(domain), port of URL
HTTP-header 기반의 보안 메커니즘
즉, web brower에서 실행 되는 보안 조치
탄생배경
- 도메인간의 요청이 오고가면서 보안의 위험이 발생
- SOP(the same-origin policy)의 한계 발생
- SOP: 한 도메인의 문서나 스크립트가 어떻게 다른 도메인과 상호작용을 할건지에 대한 보안 메커니즘
- 한계점
- 다른 도메인들에 있는 API들간의 데이터 공유시 보안 문제
- 웹 app 에서 다루는 다양한 소스로 부터 얻은 데이터 처리
- 최근 웹 어플리케이션에서 발생 하는 다양한 리소스및 서비스간 의 cross-origin interaction을 다루지 못함
- 다른 도메인에서 리소스 로드
- 외부서비스에 API call 생성 ( 한 app 에서 다른 서버에 있는 API에 요청을 하는 행위)
목적
- SOP 를 기반으로 유연하고 안전하게 cross-origin requests 를 하기 위함
- 유저의 데이터 보호
- 악의적인 웹페이지가 다른 도메인의 민감한 정보에 대한 접근을 방지
동작방식
- 웹 페이지 A가 특정 서버에 데이터를 요청
- 원하는 것이 무엇인지에 대한 정보가 있는 `Origin`을 헤더에 담아서 요청 전송
- 해당 서버는 CORS 정책에 따라 이 요청을 허락할지 거절할지 결정
- 요청을 허락하게 되면 CROS 는 `Access-Control-Allow-Origin` 라는 헤더에 허락된 origin 정보를 담아서 응답
- 이 헤더에는 허락된 origin을 담거나, 모든 origin을 허용하는 와일드 카드인 `*` 를 사용할 수 있다.
참고자료
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
https://www.npmjs.com/package/cors
https://chat.openai.com/c/67d26a77-236d-4937-968a-412b96379988
ChatGPT 답변 + 내용 수정
더보기
Certainly! CORS stands for Cross-Origin Resource Sharing. It is a security feature implemented in web browsers to manage how web applications running at one origin (domain) can request resources from another origin.
Here's a breakdown of its key aspects:
- Same-Origin Policy: By default, web browsers enforce a security measure called the Same-Origin Policy (SOP). This policy restricts web pages from making requests to a different domain than the one that served the web page. Its primary purpose is to protect user data and prevent malicious scripts on one page from obtaining access to sensitive data on another.
- The Need for CORS: Sometimes, legitimate web applications need to make cross-origin requests. For example, a web application hosted on example.com might need to request resources from api.example.com or a third-party API hosted on a different domain. CORS provides a way to allow these cross-origin requests safely.
- How CORS Works: CORS works through HTTP headers.
- When a web application makes a cross-origin request, the browser sends an HTTP request to the target server with an `Origin` header, indicating the origin of the request.
- The server can then decide whether to allow or deny the request based on its CORS policy. If the server allows the request, it responds with specific CORS headers, like `Access-Control-Allow-Origin`, indicating which origins are permitted.
- This header lists the allowed origns or a wildcard to indicagte that any origins is allowed.
- Simple and Preflight Requests: There are two types of CORS requests - Simple and Preflight. Simple requests are basic requests like GET or POST with certain safe headers, and they are sent directly with CORS headers. Preflight requests are more complex and use methods like PUT or DELETE, or include custom headers. These are first sent with an OPTIONS request to check if the actual request is safe to send.
- Security and Limitations: While CORS enables cross-origin requests, it also includes mechanisms to ensure security. It doesn't allow arbitrary sharing of user credentials like cookies or HTTP authentication unless explicitly permitted by the server. Also, CORS policies are set server-side, meaning the server has full control over who can access its resources.
In summary, CORS is an essential part of modern web security. It enables controlled cross-origin requests, balancing the need for functionality with the need to protect users' data and privacy.
Simple Example
Imagine you have two websites:
- Website A: https://website-a.com, which is a frontend application.
- Website B: https://api.website-b.com, which provides an API that Website A wants to use.
Scenario Without CORS
- A user visits https://website-a.com.
- Website A tries to fetch user data from https://api.website-b.com/data.
- The browser's Same-Origin Policy blocks this request because it's a cross-origin request (the origin of the frontend app is website-a.com, and it's trying to access data from api.website-b.com).
Implementing CORS
To allow this cross-origin request, Website B (the API server) needs to include a specific header in its response.
Steps in the CORS Process
- The Browser Sends a Request: When the frontend app at Website A makes a request to Website B, the browser automatically adds an Origin header to the request, indicating that the request is coming from https://website-a.com.
- Server Checks the Origin: Website B's server receives the request and checks the Origin header.
- Server Responds with CORS Headers: If Website B's server is configured to allow requests from https://website-a.com, it responds with a header like Access-Control-Allow-Origin: https://website-a.com. This header tells the browser that the cross-origin request is permitted.
- Browser Processes the Response: The browser sees the Access-Control-Allow-Origin header in the response and allows the frontend JavaScript code on Website A to access the response data.
Code Example
Here's what the HTTP headers might look like:
Request from Website A to Website B
GET /data HTTP/1.1
Host: api.website-b.com
Origin: https://websites-a.com
Request from Website A to Website A
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://website-a.com
Content-Type: application/json
{
"data" : "sample data"
}
Conclusion
In this example, CORS enables Website A to safely and successfully request data from Website B, despite being on different origins. Without CORS, this kind of cross-origin request would be automatically blocked by the browser for security reasons.
