今さら聞けないSPAのCORS対策の話

今さら聞けないSPAのCORS対策の話
Making SPA with thinking about CORS
@sota1235

View Slide

console.log(me)
• Sota Sugiura
• @sota1235
• Mercari, Inc.
• My dream is to be
JavaScript

View Slide

By the way

View Slide

View Slide

In this talk…
• You can understand…
• How Browser will work for CORS
• Which HTTP headers should be provided
for SPA
• How we can manage cookie or some
credential informations

View Slide

CORS

View Slide

Cross
Origin
Resource
Sharing

View Slide

What’s origin?

View Slide

Origin
• Deﬁned from 3 part
• Scheme
• Host
• Port

View Slide

Origin
https://example.com:80

View Slide

Origin
Scheme Host Port

View Slide

Origin
http://example.com:80

View Slide

Origin
Different scheme

View Slide

Origin
Different scheme then different Origin

View Slide

Origin
! IUUQTIPHFDPN IUUQTIPHFDPNGVHBIUNM
IUUQTIPHFDPN IUUQIPHFDPN
IUUQIPHFDPN IUUQIPHFDPN
IUUQIPHFDPN IUUQNPHFIPHFDPN

View Slide

Origin for what?

View Slide

Same Origin Policy

View Slide

Same Origin Policy
• Controlling interactions between different
origins
• The content in the origin will be protected
from other origin
• Important feature for security

View Slide

SOP for…
• XMLHttpRequest
• Fetch API
• Images drawn on Canvas
• and so on

View Slide

Cross Origin
Fetch API
http://localhost:9000

View Slide

Cross Origin
Fetch API
#SPXTFS
"1*

View Slide

Cross Origin
Fetch API
/PUTBNF0SJHJO

View Slide

Cross Origin
Fetch API
)551(&5

View Slide

Cross Origin
Fetch API
const apiServer =
'http://localhost:8000';
fetch(apiServer)
.then(res => {
console.log(res);
})
.catch(err => {
// Do nothing
});
)551(&5

View Slide

Error occurred

View Slide

What happened?
• Browser blocked JavaScript to get HTTP
response
Resource Access
Response

View Slide

What happened?
• Browser blocked JavaScript to get HTTP
response
• Even if server returns response
Resource Access
Response

View Slide

It’s SOP
• Some requests are rejected if target origin is
different from current origin
• Even if server send response, browser will
hide data from JavaScript access

View Slide

So, CORS

View Slide

CORS
• Accessing to different origin with CORS
• Controlling access permission with HTTP
headers
• Made for more ﬂexible frontend interuction

View Slide

Cross Origin

View Slide

Cross Origin
const apiServer =
fetch(apiServer)
.then(res => {
console.log(res);
})
.catch(err => {
// Do nothing
});

View Slide

Cross Origin
const http = require('http');
const PORT = 8000;
const makeResForCORS = (response) => {
response.setHeader(
'Access-Control-Allow-Origin', '*'
);
};
const server = http.createServer((req,
res) => {
makeResForCORS(res);
res.end('hello');
});
server.listen(PORT, () => {
console.log(`Listening on ${PORT}`);
});

View Slide

Cross Origin
)551(&5
const apiServer =
fetch(apiServer)
.then(res => {
console.log(res);
})
.catch(err => {
// Do nothing
});

View Slide

Cross Origin
)5510,
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Fri, 24 Nov 2017 08:41:45
GMT
Connection: keep-alive
Content-Length: 5
hello

View Slide

Cross Origin
)5510,
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Fri, 24 Nov 2017 08:41:45
GMT
Content-Length: 5
hello
"MMPXBDDFTTJOHGSPNBOZPSJHJOT

View Slide

Specify more details
• Access-Control-Allow-Origin
• Origin which can access to resourse
• Access-Control-Allow-Methods
• HTTP methods client can use for cross origin
access
• and so on - I will explain others later :)

View Slide

Recap
• Same Origin Policy
• Security structure for protecting resource
• CORS
• You should set up for servers if you want to
share resource across not same Origins

View Slide

BTW, Today’s theme is
CORS with SPA

View Slide

Do you have these experiences?
• Set Access-Control-Allow-Origin: *
without any thinking
• Using preﬂight, but it is not clear…
• Creating SPA without understanding about
CORS and other techniques around it

View Slide

Not good

View Slide

We need to understand
• CORS
• preﬂight
• Ajax with credentials
• When we understand, we can explain it to
server side engineer by own

View Slide

Let’s make sample SPA
• API and static site Origins are different
• We want to manage user session in some
way
• We want to make cross origin access more
secure and more good performance

View Slide

Let’s make sample SPA
http://localhost:9000 http://localhost:8000
眢 4FDVSF
眢 ,FFQVTFSTFTTJPO
眢 (PPEQFSGPSNBODF
#SPXTFS "1*

View Slide

Step 1 - Cross Origin
Step 2 - User Session
Step 3 - Optimize performance

View Slide

Step 1 - Cross Origin
• Set up for CORS access
• At least you need to set 3 kinds of headers
• The value of headers depends on your
application architecture

View Slide

You should specify
• Access-Control-Allow-Origin
• Origin which can access to resourse
• Access-Control-Allow-Methods
• HTTP methods client can use
• Access-Control-Expose-Headers
• HTTP headers client can send to server

View Slide

Set headers
const PORT = 8000;
response.setHeader('Access-Control-Allow-Origin', 'http://localhost:9000');
response.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,PATCH,OPTIONS');
response.setHeader('Access-Control-Expose-Headers', 'X-Custom-Header,X-Node-Festival');
};
const server = http.createServer((req, res) => {
res.end('hello');
});
});

View Slide

Step 2 - User Session
• Want to identify user on server side
• Authentication, permission
• Controlling access to some endpoints

View Slide

How to mange session?
• Access token?
• Cookie?
• Or other way?

View Slide

Access Token?
• Save in anywhere?
• Local Storage? Or something like it?
accessToken=abcd1234

View Slide

Not best
• If there is XSS, it will be stolen easily
• We have no way to protect local data from
JavaScript
• And it is not easy to implement
• Is will be expired or not?
• How to implement sign in/sign out logic?

View Slide

Cookie is better way
• We don’t need to implement special logic
• We can protect cookie from XSS
• Surely, we MUST use https

View Slide

Do you worry document.cookie?
• You MUST set this header
• Set-Cookie: HttpOnly; Secure;
• HttpOnly - Cookie won’t be accessed from
JavaScript
• Secure - Cookie will be sent on only HTTPS
connection

View Slide

Let’s use cookie! But…
5IFSFJTOPcookieIFBEFS

View Slide

Ajax with credentials
• When you want to send credentials such as
cookie, you need to specify option
• Server also need to specify that credentials is
allowed to sent

View Slide

Server side for sending credentials
const PORT = 8000;
response.setHeader('Access-Control-Allow-Origin', '*');
response.setHeader('Access-Control-Allow-Credentials', 'true');
};
res.end('hello');
});
});

View Slide

mmm, still not perfect

View Slide

“*” is dead…
• You can’t define ‘*’ for Access-Control-
Allow-Origin
• Even if you don’t send credentials cross
origin, ‘*’ does not make sense
• Also for security, let’s define specific origin!

View Slide

Server side for sending credentials
const PORT = 8000;
response.setHeader('Access-Control-Allow-Origin', 'http://localhost:9000');
response.setHeader('Access-Control-Allow-Credentials', 'true');
};
res.end('hello');
});
});

View Slide

Step 3 - Optimize performance
• Before optimizing your application’s
performance, you need to know about
preﬂight request

View Slide

Preﬂight Request
• Pre request before accessing to other origin
• It is sent by browser automatically
• It means if browser send preﬂight request, it
takes 2RTT to access to the resource

View Slide

Request Flow
015*0/4
$034JOGPSNBUJPO
① Preﬂight Request
(&5
3FTQPOTF

View Slide

Request Flow
015*0/4
$034JOGPSNBUJPO
② Request you want to send
(&5
3FTQPOTF

View Slide

Preﬂight Request
OPTIONS / HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X
10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
62.0.3202.94 Safari/537.3620081130 Minefield/3.1b3pre
Accept: */*
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Origin: http://localhost:9000 
Referer: http://localhost:9000/
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: x-custom-header

View Slide

Response for Preﬂight
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Allow-Methods:
GET,POST,PUT,DELETE,PATCH,OPTIONS
Access-Control-Allow-Headers: X-Custom-Header,X-Node-
Festival
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 100
Date: Fri, 24 Nov 2017 17:23:24 GMT

View Slide

When?
• When you want to use speciﬁc HTTP
methods
• ex) PUT, DELETE, PATCH, OPTIONS
• When you want to use custom HTTP header
• When you want to specify Content-Type
header except some values

View Slide

Then, how to optimize?

View Slide

–Sota Sugiura
l/PUIJOHJTUIFCFTUBSDIJUFDUVSFGPS
BQQMJDBUJPO`TQFSGPSNBODFz

View Slide

Decreasing latency
• Let’s make your app 2RTT to 1RTT
• Use only GET, POST method
• Not using custom HTTP headers
• Set speciﬁc value to Content-Type

View Slide

Do not forget CSRF
• If you avoid using preﬂight, you need to
consider about CSRF
• Even if browser protect resource from
JavaScript, request will be sent to server
Bad Request
Response

View Slide

For CSRF
• Adding origin checking on server
• Using preﬂight request
• The thing you should think about is not to
exec request before any checking

View Slide

CSRF
#BE3FRVFTU

View Slide

CSRF
#BE3FRVFTU
const PORT = 8000;
const TARGET_ORIGIN = 'http://localhost:9000';
response.setHeader(
'Access-Control-Allow-Origin', TARGET_ORIGIN
);
};
if (req.headers.origin !== TARGET_ORIGIN) {
res.end('invalid request');
return;
}
res.end('hello');
});
});

View Slide

You need to use preflight?
• In some case, you can’t avoid using preflight
request
• Don’t worry, you can optimize around
preflight request

View Slide

Cache
Preﬂight
1SFGMJHIU
const apiServer =
fetch(apiServer)
.then(res => {
console.log(res);
})
.catch(err => {
// Do nothing
});

View Slide

Cache
Preﬂight
3FTQPOTF
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://
localhost:9000
Access-Control-Allow-Headers: X-
Custom-Header,X-Node-Festival
Date: Fri, 24 Nov 2017 17:23:24 GMT

View Slide

Cache
Preﬂight
3FTQPOTF
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://
localhost:9000
Access-Control-Allow-Headers: X-
Custom-Header,X-Node-Festival
Date: Fri, 24 Nov 2017 17:23:24 GMT
$BDIFQSFqJHIUSFTVMUGPSTFDPOET

View Slide

Access-Control-Max-Age
• You can let browser to cache preﬂight result
• But max cache time is limited
• Chrome - 10 minutes
• Firefox - 24 hours
• Specify value for your app’s spec

View Slide

That’s all
•
✅ Basic settings for CORS
• ✅ Ajax with credentials
• ✅ Avoid using Preﬂight Request
•
✅ Or cache request for optimizing

View Slide

Summary
• CORS is for interactions between different
Origins
• When you write frontend code like SPA…
• You need to understand around CORS
• You can optimize communication with
different origin

View Slide

Thank you

View Slide

今さら聞けないSPAのCORS対策の話

今さら聞けないSPAのCORS対策の話

Sota Sugiura

More Decks by Sota Sugiura

Other Decks in Technology

Featured

Transcript