启用JSONP后，有什么方法可以限制对CouchDB视图的访问? [英] Any way to limit access to CouchDB view when JSONP is enabled?

问题描述

我在Iriscouch CouchDB上启用了JSONP，因此可以向我的视图发出Ajax请求. 这意味着任何人都可以向我的CouchDB视图发出ajax请求.

I enabled JSONP on my iriscouch CouchDB so I could make ajax requests to my views. This means that anybody can make ajax request to my CouchDB views.

有什么办法可以防止这种情况?

Is there any way to prevent this?

如果没有，那么是否有一种方法可以限制对视图的访问(关闭JSONP)，以便只有我的应用程序可以查看(使用代理)?

If not, then is there a way to limit access to the views (with JSONP turned off) so that only my application can view it (using a proxy)?

推荐答案

跨域功能仍然很困难.我认为JSONP不允许经过身份验证的请求，因此，使用JSONP的选择是在完全公共数据和完全私有数据之间.

Cross-domain functionality is still difficult. I do not think JSONP allows authenticated requests, therefore your choice with JSONP is between totally public data and totally private data.

(顺便说一句，如果您担心隐私，请注意您的敌人或脚本小子或任何人都可以简单地阅读页面源代码并使用curl查询您的视图.)

(Incidentally, if you are concerned about privacy, note that your enemies or script kiddies or whoever can simply read the page source and query your views with curl.)

跨域安全性的正确解决方案是跨对象资源共享(CORS).有一个 CouchDB CORS补丁.顺便说一句，Iris Couch(在我工作的地方)确实非正式地支持此补丁，如果您与他们联系，它将激活它.

The correct solution to cross-domain security is Cross-Object Resource Sharing (CORS). There is a CouchDB CORS patch. Incidentally, Iris Couch (where I work) does unofficially support this patch and will activate it if you contact them.

如果使用代理，则好处是您具有极大的灵活性并可以控制安全性. (显然，缺点是现在您必须维护一台新服务器，并且还必须提高警惕，以防有人在您的安全策略中戳了一个您没有意识到的漏洞.)

If you use a proxy, the benefit is that you have huge flexibility and control about security. (The downside, obviously, is that now you must maintain a new server, and you must also be vigilant that somebody poked a hole in your security policy that you'd not realized.)

这篇关于启用JSONP后，有什么方法可以限制对CouchDB视图的访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！