Javascript安全性:将敏感数据存储在比cookie更安全的自调用功能中? [英] Javascript Security: is storing sensitive data in a self invoking function more secure than cookies?
问题描述
我知道客户端JavaScript中的安全性要么不存在,要么非常困难。我知道我的服务器端代码应该最终决定它向谁提供数据或从中接受数据。
I know security is either non-existant or very difficult in client side JavaScript. I know my server-side code should ultimately decide who it gives data to or accepts data from.
这就是说,以下是可以的。通过好的我的意思是,如果这是一些新的流行时尚酷网络应用程序使用的方法。知道我不会看到Super Cool Web App Hacked,改变你的密码!由于这种实现,遍布HN和Reddit(或人们关心的任何其他信息来源)。
That said, is the following okay to do. By "okay" I mean if this were the method used on some new popular trendy cool web app. Could I sleep at night knowing that I won't see "Super Cool Web App Hacked, change your passwords!" all over HN and Reddit (or any other sources of info people care about) as a result of this implementation.
如果它不安全。为什么?如何获得该信息(用户名和密码)?
If it is not secure. Why? How can that info (username and password) be obtained?
如果它是安全的?你有多确定吗?为什么安全?什么阻止我在明显无能为力的情况下获取该信息。
If it is secure? How sure are you? Why is it secure? What is stopping me from getting that info outside of my obvious inability to right now.
欢迎部分答案。只是为了更好地理解。
Partial answers are welcome. Just looking for a better understanding.
编辑
我正在考虑一些人试图窃取用户凭据的情况。我的理解是,cookie是不安全的,因为1.)其他javascripts(通过XSS或其他)可以访问它们,因为2.)它们是明确传递的。我认为SSL会解决第二个问题,让我们假设我能够阻止XSS。现在看来cookie现在是安全的,对吗?
I'm thinking about the case of some trying to steal a users credentials. My understanding is that cookies are insecure because 1.) other javascripts (via XSS or whatever) can access them and because 2.) they are passed in the clear. I figure SSL would take care of the second issue and lets just assume I'm able to prevent XSS. It would now seem that cookies are now secure, right?
我知道一些假设的浏览器漏洞有助于使cookie不安全。这就是让我问这个问题的原因。鉴于所有使饼干不安全的事情,这个(下面的代码)是否更好?
I'm aware of some supposed browser vulnerabilities that assist in making cookies insecure. That's what made me ask this question. Given all the things that make cookies insecure, is this (code below) any better?
http://jsfiddle.net/KTastrophy/vXEjm/1/ 或查看以下代码
(仅在Chrome)
http://jsfiddle.net/KTastrophy/vXEjm/1/ OR see code below (Only tested in Chrome)
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<form id="login">
<div>
<label for="username">Username</label>
<input id="username" name="username" type="text" />
</div>
<div>
<label for="password">Password</label>
<input id="password" name="password" type="password" />
</div>
<div>
<input id="submit" name="submit" type="submit" value="Login" />
</div>
</form>
</body>
<script type="text/javascript">
;(function () {
"use strict";
var login, user = {};
login = document.getElementById("login");
login.onsubmit = function (event) {
event.preventDefault();
user.username = document.getElementById("username").value;
user.password = document.getElementById("password").value;
/*
use the username and password here to do
an API request over SSL using HTTP Auth
*/
}
}());
</script>
</html>
推荐答案
当您处理存储在JavaScript中的敏感值时,您有两个主要的安全问题:
When you're dealing with sensitive values stored in JavaScript, you have two primary security concerns:
- 敏感值可在源中以纯文本形式查看。
- 页面上的另一个JS函数可以到达对象并拉出这些值(即XSS攻击)。
当你在一个页面上运行多个来源的应用程序(例如,Facebook应用程序)时,上面的第二项变得更加相关。在这些情况下,您必须注意不要通过使用闭包来暴露敏感变量。您实际上已经这样做了:您的用户对象在闭包内声明。这可以防止页面上的任何其他JS函数访问用户对象。
The second item above becomes much more relevant when you have apps running from multiple sources on a single page (e.g., Facebook apps). In these instances, you would have to take pre-cautions not to expose sensitive variables by using closures to namespace. You are actually already doing this: your user object is declared inside a closure. This prevents any other JS function on the page from being able to access the user object.
在您的情况下,我假设除了你自己的页面上没有任何其他代码,注入的可能性很小 - 你的代码是安全的:)
In your case, I'm assuming that there isn't any other code on the page except for your own and the possibility for injection is minimal--your code is safe :)
编辑:使用户名和密码存储在Cookie不安全状态的原因是,在您关闭浏览器后,它就位于您的计算机上。如果黑客可以通过任何方式访问该cookie,那么您可能遇到麻烦。你上面所做的是安全的,因为在浏览器关闭后没有任何东西存储在客户端(当浏览器打开时,其他JS无法访问你存储的值)。如果你想在cookie中放置一些内容,最好存储某种公共/私有身份验证密钥。关于这个问题有很多讨论,这里有一篇关于这个主题的全面的最佳实践文章: http://jaspan.com/ improve_persistent_login_cookie_best_practice
What makes storing the username and password in a cookie insecure is that it sits on your computer after you've closed the browser. If a hacker can access that cookie (through any number of ways) then you could be in trouble. What you've done above is safe because nothing is stored on the client side after the browser closes (and while the browser is open, other JS cannot access the values you've stored). If you want to put something in a cookie, it'd be better to store some sort of public/private authentication key. There's a lot of discussion on this, here is a thorough 'best practices' article on the topic: http://jaspan.com/improved_persistent_login_cookie_best_practice
这篇关于Javascript安全性:将敏感数据存储在比cookie更安全的自调用功能中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
