JQuery中JSONP的安全问题 [英] Security Issues with JSONP in jQuery
问题描述
我正在编写一个应用程序,它使用jQuery和JSONP从第三方服务器获取JSON。我的应用程序背后的主要思想是它是一个只有GUI逻辑的前端,任何人都可以编写第三方服务器来使用前端。
我不知道这会产生什么样的安全问题但我绝对认为这是一个潜在的问题。我可以采取哪些步骤来确保第三方服务器不会完全崩溃将运行GUI的网站?
I am writing an app right now that uses jQuery and JSONP to get JSON from 3rd party servers. The main idea behind my app is that it is a Front End with only GUI logic and 3rd party servers can be written by anyone to use the Front End.
I have no idea what security issues could arise from this but I definitely see it as a potential issue. What are some steps I can take to make sure that a 3rd party server doesn't completely crash my site that will be running the GUI?
推荐答案
JSONP意味着您执行应该返回Javascript对象的第三方javascript。使用JSONP加载的脚本可以执行本地脚本可以执行的任何操作,因此它是一种XSS攻击向量,有两种方式:如果您请求JSONP数据的第三方是邪恶的,或者是否使用了man-in更改了数据中间攻击。
JSONP means that you execute third-party javascript which should return a Javascript object. The script you load with JSONP can do anything a local script could, thus it is an XSS attack vector in two ways: either if the third party you request the JSONP data from is evil, or if the data is changed with a man-in-the-middle attack.
第二种类型的攻击可以通过仅通过安全连接执行JSONP来避免(或者如果您自己的页面通过不安全的方式发送,则可以忽略它连接,在这种情况下,有更简单的方法来进行中间人攻击);第一种类型是JSONP固有的,无法避免。您应该只在信任源时使用JSONP。否则,您可以在自己的服务器上设置AJAX网关并通过它请求JSON数据(这仅在JSONP服务不需要身份验证时才有效),或者使用跨域AJAX请求(在旧版浏览器中不起作用) ,并要求JSONP服务器的某些权限。)
The second type of attack can be avoided by only doing JSONP over secure connections (or can be disregarded if your own page is sent over an insecure connection, in which case there are easier ways to do a man-in-the-middle attack); the first type is inherent to JSONP and cannot be avoided. You should only use JSONP when you trust the source. Otherwise, you can either set up an AJAX gateway on your own server and request JSON data through that (this will only work if the JSONP service does not require authentication), or use cross-domain AJAX requests (which do not work in older browsers, and require certain permissions from the JSONP server).
这篇关于JQuery中JSONP的安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
