如果有例如 crossdomain.xml 和 clientaccesspolicy.xml 的意义是什么?PHP/卷曲? [英] What is the sense of crossdomain.xml and clientaccesspolicy.xml when there is e.g. PHP/cURL?
问题描述
假设我有一个站点,但上面没有 crossdomain.xml 或 clientaccesspolicy.xml.
So let's say I have a site and I do not have a crossdomain.xml or clientaccesspolicy.xml on it.
这意味着人们无法通过 Silverlight 或 Flash 应用程序访问我的网站.
This means that people cannot access my site via Silverlight or Flash applications.
但他们可以使用,比如 PHP 中的 cURL(或其他语言中的等效项)从我的站点获取信息,并通过 REST 或 WebService 等将其提供给他们的 Silverlight 和 Flash 应用程序.
But they can use, say cURL in PHP (or the equivalent in other languages) to get the information from my site and provide it to their Silverlight and Flash applications via REST or WebService, etc.
谁能解释一下这些限制如何保护我的网站,例如来自跨域脚本?
Can someone explain exactly how these restrictions protect my site, e.g. from cross domain scripting?
他们如何防止使用 PHP/cURL 以及可以通过脚本访问我的网站的等价物无法做到的?
What are they protecting against that couldn't be done with PHP/cURL and equivalents which do have access to my site via script?
推荐答案
PHP 是一种服务器端技术,代码在服务器上执行,而不是在用户的机器上.Silverlight 是一种在用户机器上运行的客户端技术.
PHP is a server side technology and code executes on the server, not on the user's machine. Silverlight is a client side technology that runs on the user's machine.
如果 Silverlight 代码可以向任何域发出任意 Web 请求,就会为大量跨站点脚本攻击打开大门.
If Silverlight code could make arbitrary web requests to any domain, it would open the door to a whole host of cross-site scripting attacks.
想象一下这个场景:
Bob 转到 www.OnlineBanking.com 并登录以查看他的帐户余额.他通过导航到另一个地址离开了该站点.他没有单击注销",因此他仍然处于登录状态(或者,他打开一个新的浏览器窗口/选项卡,使银行网站仍然打开).
Bob 浏览到 evil.com,其中包含 Silverlight 应用程序.
Silverlight 应用程序已下载并在 Bob 的机器上运行.
此应用程序向 www.OnlineBanking.com/secretaccountdetails.html 发出 Web 请求.此文件需要身份验证才能读取(evil.com 未经过身份验证,因此无法访问).
然而 Bob IS 已通过身份验证,并且请求成功.Silverlight 应用程序可以读取该文件的内容并对其进行任何操作(包括将其发送到 evil.com).
Image this scenario:
Bob goes to www.OnlineBanking.com and logs in to check his account balance. He leaves this site by navigating to a different address. He does not click "Log Out", so he is still logged in (alternatively, he opens a new browser window/tab, leaving the banking site still open).
Bob browses to evil.com, which contains a Silverlight application.
The Silverlight application is downloaded and runs on Bob's machine.
This application makes a web request to www.OnlineBanking.com/secretaccountdetails.html. This file requires authentication to read (evil.com is not authenticated so cannot access it).
Bob however IS authenticated, and the request succeeds. The silverlight application can read the contents of this file and do whatever it likes with it (including sending it to evil.com).
Silverlight 中的跨域请求限制阻止了上述情况的发生.当 Silverlight 应用程序向 OnlineBanking.com 发出请求时,它将检查跨域策略文件,因为该应用程序是从不同域提供的.由于 OnlineBanking.com 没有允许跨域请求的策略文件,因此请求失败并且 Silverlight 应用程序无法下载 secretaccountdetails.html.
The cross-domain request restrictions in Silverlight prevent the above scenario from happening. When the request is made by the silverlight app to OnlineBanking.com, it will check for a cross domain policy file since the app was served from a different domain. Since OnlineBanking.com does not have a policy file allowing cross domain requests, the request fails and the Silverlight application cannot download secretaccountdetails.html.
这篇关于如果有例如 crossdomain.xml 和 clientaccesspolicy.xml 的意义是什么?PHP/卷曲?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
