Question

Chapter 3 introduced the same-origin policy (SOP), one of the fundamental defenses deployed in modern web applications. The SOP restricts how a script originating from one site can interact with the resources of a different site, and it’s critical in preventing many common web vulnerabilities.

第三章介绍了同源策略（SOP），这是现代 Web 应用程序中部署的基本防御之一。 SOP 限制来自一个站点的脚本如何与另一个站点的资源进行交互，这在防止许多常见的 Web 漏洞方面至关重要。

But websites often loosen the SOP in order to have more flexibility. These controlled and intended SOP bypasses can have adverse effects, as attackers can sometimes exploit misconfigurations in these techniques to bypass the SOP. These exploits can cause private information leaks and often lead to more vulnerabilities, such as authentication bypass, account takeover, and large data breaches. In this chapter, we’ll discuss how applications relax or work around the SOP and how attackers can exploit these features to endanger the application.

但网站经常会放宽 SOP 以获得更多的灵活性。这些受控制和有意的 SOP 绕过可能会产生负面影响，因为攻击者有时可以利用这些技术中的配置错误来绕过 SOP。这些漏洞可能会导致私人信息泄漏，通常会导致更多漏洞，例如身份验证绕过、账户接管和大规模数据泄露。在本章中，我们将讨论应用程序如何放宽或绕过 SOP，以及攻击者如何利用这些功能危害应用程序。