我不知道JSONP与AJAX有什么不同 [英] I don't get how JSONP is ANY different from AJAX
问题描述
-
我没有看到JSONP中的回调函数与AJAX中的成功回调函数有什么不同。
I don't see how the callback function in JSONP is any different from the success callback function in AJAX.
鉴于#1,我不知道它是如何从根本上更加安全。
Given #1, I don't see how it is fundamentally more secure.
因此,与AJAX的人工同域约束的唯一区别?
So is the only difference an artificial same-domain constraint with AJAX?
为什么AJAX不允许跨域请求;如果这可能导致安全漏洞,那么攻击不会只是XSS一个JSONP请求吗?
Why can't AJAX just allow cross-domain requests; if this can cause a security hole, wouldn't the attack just XSS a JSONP request?
困惑,
Max
Confused, Max
推荐答案
ajax调用是客户端直接向服务器发出的实际HTTP请求。 Ajax调用可以是同步的(阻塞直到完成)或异步。由于同源安全保护,ajax调用只能与网页来自同一服务器,除非目标服务器明确允许使用CORS的跨源请求。
An ajax call is an actual HTTP request from your client directly to a server. Ajax calls can be synchronous (blocking until they complete) or asynchronous. Because of same-origin security protections, ajax calls can only be made to the same server that the web page came from unless the target server explicitly allows a cross origin request using CORS.
JSONP调用是一个有趣的黑客,其中包含允许跨源通信的< script> 标记。在JSONP调用中,客户端创建一个脚本标记,并在其上放置一个带有 callback = xxxx 查询参数的URL。该脚本请求(通过脚本标签插入)由浏览器发送到外部服务器。浏览器只是认为它正在请求一些JavaScript代码。然后,服务器为此调用创建一些特殊的javascript,并且在返回时由浏览器执行的javascript中,服务器将函数调用放入 callback = xxxx <中指定的函数中/ code>查询参数。通过将数据传递给该函数来定义变量,服务器可以将数据传递回客户端。对于JSONP,客户端和服务器必须就JSONP调用的工作方式以及数据的定义方式进行合作。客户端无法对未明确支持JSONP的服务器进行JSONP调用,因为服务器必须构建完全正确的JSONP响应类型,否则它将无法正常工作。
JSONP calls are an interesting hack with the <script> tag that allows cross-origin communication. In a JSONP call, the client creates a script tag and puts a URL on it with an callback=xxxx query parameter on it. That script request (via the script tag insertion) is sent by the browser to the foreign server. The browser just thinks it's requesting some javascript code. The server then creates some special javascript for the purposes of this call and in that javascript that will get executed by the browser when it's returned, the server puts a function call to the function named in the callback=xxxx query parameter. By either defining variables of by passing data to that function, the server can communicate data back to the client. For JSONP, both client and server must cooperate on how the JSONP call works and how the data is defined. A client cannot make a JSONP call to a server that doesn't explicitly support JSONP because the exact right type of JSONP response has to be built by the server or it won't work.
因此,这两种沟通方法完全不同。只有ajax调用可以是同步的。根据< script> 标记插入的性质,JSONP调用始终是异步的。
So, the two communication methods work completely differently. Only ajax calls can be synchronous. By the nature of the <script> tag insertion, JSONP calls are always asynchronous.
在Ajax调用中,响应在ajax事件处理程序中返回。
In an Ajax call, the response comes back in a ajax event handler.
在JSONP调用中,当返回的Javascript调用您的函数时,响应就会出现。
In a JSONP call, the response comes when the returned Javascript calls a function of yours.
在某些方面,JSONP是一个绕过跨源安全机制的安全漏洞。但是,您只能调用明确选择支持类似JSONP机制的服务器,因此如果服务器不希望您能够跨域调用它,它可以通过不支持JSONP来阻止它。您不能对这些其他服务器进行常规的ajax调用。
In some ways, JSONP is a security hole that bypasses the cross-origin security mechanism. But, you can only call servers that explicitly choose to support a JSONP-like mechanism so if a server doesn't want you to be able to call it cross-origin, it can prevent it by not supporting JSONP. You can't make regular ajax calls to these other servers.
浏览器制造商无法真正消除这个漏洞,因为如果他们做了数以万计的网页会破坏已经使用JSONP或从其他域加载脚本。例如,网络上使用jQuery关闭Google或Microsoft CDN的每个页面都会中断,因为浏览器不允许从跨域域下载javascript。
The browser makers can't really close this loophole because if they did zillions of web pages would break that either already use JSONP or load scripts from other domains. For example, every page on the web that uses jQuery off the Google or Microsoft CDNs would break because the browser wouldn't be allowed to download javascript from cross-origin domains.
JSONP主要是作为一种解决方案而发明的,可以进行跨域请求。但是,由于JSONP需要显式服务器支持才能工作,因此它不是真正的安全问题,因为只能对明确决定允许该类型的跨源调用的服务器进行JSONP调用。 JSONP的使用现在比过去少得多,因为CORS被发明为一种更优雅的控制/允许方式。 CORS代表跨源资源共享,它提供了一种方法目标服务器告诉Web浏览器确切地允许哪种类型的跨源请求,甚至告诉它允许哪些Web页面域发出此类请求。它具有比JSONP更精细的控制,并且所有现代浏览器现在都支持CORS。
JSONP was largely invented as a work-around to be able to make cross-origin requests. But, since JSONP requires explicit server support in order to work, it wasn't really a security problem because a JSONP call can only be made to a server that explicitly decided to allow that type of cross origin call. JSONP is used much less now than it used to be because CORS was invented as a more elegant way to control/allow this. CORS stands for Cross Origin Resource Sharing and it provides a means for a target server to tell a web browser exactly what type of cross origin requests are allowed and even to tell it which web page domains are allowed to make such requests. It is has much finer control available than JSONP and all modern browsers now support CORS.
以下是跨源调用如何导致问题的示例。如果你可以从任何其他网页加载任意网页或进行任意的ajax调用,那么想象一下你已经在雅虎的其他浏览器窗口中登录了你的webmail界面。这意味着您的cookie设置为允许来自浏览器的请求从Yahoo获取数据。如果某个其他网页中的javascript被允许向Yahoo发出webmail请求(这将自动附加您的cookie),那么它可以获取您的所有网络邮件数据并将其发送回自己的网站。一个网站可以从任何其他网站上删除所有登录的数据。所有网络安全都将被打破。
Here's an example of how a cross-origin call causes problems. If you could load any arbitrary web page from any other web page or make any arbitrary ajax call, then imagine you were already logged into your webmail interface on Yahoo in so some other browser window. This means that your cookies are set to allow requests from your browser to fetch data from Yahoo. If the javascript in some other web page was allowed to make a webmail request to Yahoo (that would automatically have your cookies attached), it could then fetch all your webmail data and send it back to it's own site. One web site could rip off all the logged-in data from any other web site. All web security would be broken.
但是,就我们今天的方式而言,只要雅虎不支持使用这些相同网络cookie的JSONP接口,就可以避免未经授权的JSONP请求。
But, the way we have it today, as long as Yahoo doesn't support a JSONP interface that uses those same web cookies, it is safe from unauthorized JSONP requests.
以下是关于跨源ajax危险的一些其他好的文章以及必须要防止它的原因:
Here are some other good writeups on the dangers of cross-origin ajax and why it has to be prevented:
这篇关于我不知道JSONP与AJAX有什么不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
