【待反馈】如何通过宝塔网站配置处理CORS问题

为了能快速了解并处理您的问题，请提供以下基础信息：

面板、插件版本：

[url=]7.9.8[/url]

系统版本：

CentOS 8.2.2004 x86_64

问题描述：

如何在宝塔网站配置中解决CORS?

相关截图（日志、错误）：

CORS (Cross-Origin Resource Sharing) origin validation failure[color=rgba(0, 0, 0, 0.87)]bug_report
URL:http://www.aydigital.cn/api/[color=rgba(0, 0, 0, 0.87)]Attack Detailsarrow_drop_up

Access-Control-Allow-Origin: https://localhost
Access-Control-Allow-Credentials: true Origin accepted from a known domain.

[color=rgba(0, 0, 0, 0.87)]Vulnerability Descriptionarrow_drop_up

CORS (Cross-Origin Resource Sharing) defines a mechanism to enable client-side cross-origin requests. This application is using CORS in an insecure way.

The web application fails to properly validate the Origin header (check Details section for more information) and returns the header Access-Control-Allow-Credentials: true.

In this configuration any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

Discovered by CORS (Cross-Origin Resource Sharing) origin validation failure

[color=rgba(0, 0, 0, 0.87)]HTTP Requestarrow_drop_down




[color=rgba(0, 0, 0, 0.87)]HTTP Responsearrow_drop_down




[color=rgba(0, 0, 0, 0.87)]The impact of this vulnerabilityarrow_drop_up

Any website can issue requests made with user credentials and read the responses to these requests.

[color=rgba(0, 0, 0, 0.87)]How to fix this vulnerabilityarrow_drop_up

Allow only selected, trusted domains in the Access-Control-Allow-Origin header.

[color=rgba(0, 0, 0, 0.87)]Classificationarrow_drop_up
CWECWE-942CVSSBase Score: 5.4 - CVSS:3.1/AV:N/AC/PR:N/UI:R/S:U/C/I/A:NAttack Vector: NetworkAttack Complexity: LowPrivileges Required: NoneUser Interaction: RequiredScope: UnchangedConfidentiality: LowIntegrity: LowAvailability: None

[color=rgba(0, 0, 0, 0.87)]Web Referencesarrow_drop_up

• CORS Security Considerations
  

您好，如是您网站出现跨域问题，您可以通过您网站源代码内增加跨域设置。
或者是通过网站配置增加一个跨域设置，设置后重启web服务，web服务所指：nginx/apache、IIS等。
以下是为Nginx配置跨域问题设置，可参考下：
1.添加以下行到您的Nginx配置文件中的服务器块中，：

1. add_header 'Access-Control-Allow-Origin' '*';
   
2. add_header 'Access-Control-Allow-Credentials' 'true';
   
3. add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
   
4. add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';

复制代码

这将允许从任何来源请求您的网站，并允许使用凭据（例如cookie），同时还允许GET、POST和OPTIONS方法，并允许一些常见的请求头。
2.如果您要限制允许跨域请求的来源，则可以使用以下配置选项：

1. if ($http_origin ~* (https?://example\.com(:[0-9]+)?$)) {
   
2.     add_header 'Access-Control-Allow-Origin' "$http_origin";
   
3.     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
   
4.     add_header 'Access-Control-Allow-Credentials' 'true';
   
5.     add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
   
6. }

复制代码

在这里，“https://example.com”是您希望允许跨域请求的来源。如果请求的来源与此匹配，则nginx将允许跨域请求。
3.如果您的网站使用HTTPS，则应该使用以下选项来确保安全

1. add_header 'Access-Control-Allow-Origin' "$http_origin";
   
2. add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
   
3. add_header 'Access-Control-Allow-Credentials' 'true';
   
4. add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
   
5. add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
   
6. if ($request_method = 'OPTIONS') {
   
7.     return 204;
   
8. }

复制代码

在这里，“Access-Control-Expose-Headers”将公开一些常见的响应头，而“if ($request_method = 'OPTIONS')”将确保只有OPTIONS请求返回204响应，这是CORS规范所要求的。

请注意，这些选项可能不适用于所有情况，具体取决于您的应用程序和环境。在配置Nginx时，请确保您的网站安全，并将跨域配置选项限制为最小化。