在使用 JSONP 时有什么安全问题需要考虑吗?
Are there any security issues that should be considered when using JSONP?
推荐答案更新:JSONP 是一种常见的跨域请求技巧.现代浏览器现在有跨域资源共享,IE8+ 有类似的 XDomainRequest.有关详细信息,请参阅 enable-cors/.
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See enable-cors/ for more info.
JSONP 只是一个允许您使用回调的脚本包含.但是,您应该注意跨站请求伪造 (CSRF).
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
只要您控制脚本和服务器,JSONP 就不会比脚本包含更不安全.除非您有一个向登录用户返回敏感数据的 JSONP 服务.恶意站点可以向服务发送请求(希望用户登录您的站点),并检索数据.该服务可以检查请求的引用者,但有可能使用 flash 欺骗引用者(感谢 Chris Moschini).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
想象一下这个场景:- 用户登录到他的网上银行账户.在用户浏览器中存储会话 cookie.该站点有一个 jsonp 服务,其中包含有关用户及其帐户的敏感信息.- 其他站点不会知道用户已登录,但他们可以随意猜测并尝试访问 jsonp 服务.由于用户有一个会话 cookie,浏览器将得到响应,并且没有什么可以阻止站点执行 ajax 发布以将敏感数据保存在他们的服务器上.
Imagine this senario: - A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts. - Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
2012 年 6 月 28 日更新:如果您想防范 CSRF 攻击,您应该阅读安全专家撰写的这篇深入的博文:erlend.oftedal.no/blog/?blogid=130
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: erlend.oftedal.no/blog/?blogid=130
更多推荐
JSONP 使用安全吗?
发布评论