HttpOnly cookie 如何处理 AJAX 请求? [英] How do HttpOnly cookies work with AJAX requests?
问题描述
如果在基于 cookie 的访问限制的站点上使用 AJAX,JavaScript 需要访问 cookie.HttpOnly cookie 可以在 AJAX 站点上工作吗?
JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site?
如果指定了 HttpOnly,Microsoft 通过禁止 JavaScript 访问 cookie 来创建防止 XSS 攻击的方法.FireFox 后来采用了这一点.所以我的问题是:如果您在 StackOverflow 等网站上使用 AJAX,是否可以选择 Http-Only cookie?
Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJAX on a site, like StackOverflow, are Http-Only cookies an option?
Edit 2: 问题 2. 如果 HttpOnly 的目的是阻止 JavaScript 访问 cookie,而您仍然可以通过 XmlHttpRequest 对象通过 JavaScript 检索 cookie,有什么意义HttpOnly 的?
Edit 2: Question 2. If the purpose of HttpOnly is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of HttpOnly?
编辑 3: 这是维基百科的引述:
Edit 3: Here is a quote from Wikipedia:
当浏览器收到这样的 cookie 时,它应该像往常一样在以下 HTTP 交换中使用它,但不让它对客户端脚本可见.[32]HttpOnly 标志不是任何标准的一部分,也不是在所有浏览器中都实现.请注意,目前没有阻止通过 XMLHTTPRequest 读取或写入会话 cookie.[33].
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.[32] The
HttpOnlyflag is not part of any standard, and is not implemented in all browsers. Note that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest. [33].
我了解当您使用 HttpOnly 时 document.cookie 被阻止.但似乎您仍然可以读取 XMLHttpRequest 对象中的 cookie 值,从而允许 XSS.HttpOnly 如何让你更安全?通过使 cookie 本质上是只读的?
I understand that document.cookie is blocked when you use HttpOnly. But it seems that you can still read cookie values in the XMLHttpRequest object, allowing for XSS. How does HttpOnly make you any safer than? By making cookies essentially read only?
在您的示例中,我无法写入您的 document.cookie,但我仍然可以窃取您的 cookie 并使用 XMLHttpRequest 对象将其发布到我的域中.
In your example, I cannot write to your document.cookie, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object.
<script type="text/javascript">
var req = null;
try { req = new XMLHttpRequest(); } catch(e) {}
if (!req) try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) {}
if (!req) try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) {}
req.open('GET', 'http://stackoverflow.com/', false);
req.send(null);
alert(req.getAllResponseHeaders());
</script>
编辑 4: 抱歉,我的意思是您可以将 XMLHttpRequest 发送到 StackOverflow 域,然后将 getAllResponseHeaders() 的结果保存为字符串,将 cookie 正则表达式,然后发布到外部域.维基百科和黑客似乎在这一点上同意我的看法,但我很想接受再教育......
Edit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated...
最终啊,显然两个网站都错了,这实际上是一个 FireFox 中的错误.IE6 &7 实际上是目前唯一完全支持 HttpOnly 的浏览器.
Final Ahh, apparently both sites are wrong, this is actually a bug in FireFox. IE6 & 7 are actually the only browsers that currently fully support HttpOnly.
重申我学到的一切:
- HttpOnly 在 IE7 & 中限制对 document.cookie 的所有访问和 FireFox(不确定其他浏览器)
- HttpOnly 从 IE7 中 XMLHttpObject.getAllResponseHeaders() 的响应头中删除 cookie 信息.
- XMLHttpObjects 只能提交到它们源自的域,因此不会跨域发布 cookie.
此信息可能不再是最新的.
推荐答案
是的,仅 HTTP cookie 适合此功能.他们仍然会被提供给服务器的 XmlHttpRequest 请求.
Yes, HTTP-Only cookies would be fine for this functionality. They will still be provided with the XmlHttpRequest's request to the server.
在 Stack Overflow 的情况下,cookie 会作为 XmlHttpRequest 请求的一部分自动提供.我不知道 Stack Overflow 身份验证提供程序的实现细节,但该 cookie 数据可能会自动用于在比投票"控制器方法更低的级别验证您的身份.
In the case of Stack Overflow, the cookies are automatically provided as part of the XmlHttpRequest request. I don't know the implementation details of the Stack Overflow authentication provider, but that cookie data is probably automatically used to verify your identity at a lower level than the "vote" controller method.
更一般地说,AJAX 不需要 cookie.XmlHttpRequest 支持(或什至 iframe 远程处理,在较旧的浏览器上)是技术上需要的全部内容.
More generally, cookies are not required for AJAX. XmlHttpRequest support (or even iframe remoting, on older browsers) is all that is technically required.
但是,如果您想为启用 AJAX 的功能提供安全性,则适用与传统网站相同的规则.您需要某种方法来识别每个请求背后的用户,而 cookie 几乎总是达到此目的的手段.
However, if you want to provide security for AJAX enabled functionality, then the same rules apply as with traditional sites. You need some method for identifying the user behind each request, and cookies are almost always the means to that end.
在您的示例中,我无法写入您的 document.cookie,但我仍然可以窃取您的 cookie 并使用 XMLHttpRequest 对象将其发布到我的域中.
In your example, I cannot write to your document.cookie, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object.
XmlHttpRequest 不会发出跨域请求(正是出于您提到的各种原因).
XmlHttpRequest won't make cross-domain requests (for exactly the sorts of reasons you're touching on).
您通常可以注入脚本以使用 iframe 远程处理或 JSONP 将 cookie 发送到您的域,但随后 HTTP-Only 再次保护 cookie,因为它无法访问.
You could normally inject script to send the cookie to your domain using iframe remoting or JSONP, but then HTTP-Only protects the cookie again since it's inaccessible.
除非您在服务器端破坏了 StackOverflow.com,否则您将无法窃取我的 cookie.
Unless you had compromised StackOverflow.com on the server side, you wouldn't be able to steal my cookie.
Edit 2: Question 2. 如果 Http-Only 的目的是防止 JavaScript 访问 cookie,而你仍然可以通过 JavaScript 通过 XmlHttpRequest 对象检索 cookie,那么 Http-Only 有什么意义?
Edit 2: Question 2. If the purpose of Http-Only is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of Http-Only?
考虑这种情况:
- 我找到了将 JavaScript 代码注入页面的方法.
- Jeff 加载页面,我的恶意 JavaScript 修改了他的 cookie 以匹配我的 cookie.
- Jeff 为您的问题提供了出色的答案.
- 因为他提交的是我的 cookie 数据而不是他的,所以答案将成为我的.
- 您对我的"出色回答投了赞成票.
- 我的真实账户明白了这一点.
使用 HTTP-Only cookie,第二步是不可能的,从而挫败了我的 XSS 尝试.
With HTTP-Only cookies, the second step would be impossible, thereby defeating my XSS attempt.
编辑 4:抱歉,我的意思是您可以将 XMLHttpRequest 发送到 StackOverflow 域,然后将 getAllResponseHeaders() 的结果保存为字符串,将 cookie 正则表达式,然后将其发布到外部域.维基百科和黑客似乎在这一点上同意我的看法,但我很想接受再教育......
Edit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated...
没错.您仍然可以通过这种方式进行会话劫持.但是,即使是针对您的 XSS 黑客攻击也能成功执行的人数量确实减少了.
That's correct. You can still session hijack that way. It does significantly thin the herd of people who can successfully execute even that XSS hack against you though.
然而,如果你回到我的示例场景,你可以看到 HTTP-Only 做成功地切断了依赖于修改客户端 cookie 的 XSS 攻击(并不少见).
However, if you go back to my example scenario, you can see where HTTP-Only does successfully cut off the XSS attacks which rely on modifying the client's cookies (not uncommon).
归结为这样一个事实:a) 没有任何一项改进可以解决所有漏洞,并且 b) 没有任何系统永远是完全安全的.HTTP-Only 是支持 XSS 的有用工具.
It boils down to the fact that a) no single improvement will solve all vulnerabilities and b) no system will ever be completely secure. HTTP-Only is a useful tool in shoring up against XSS.
同样,即使 XmlHttpRequest 的跨域限制在阻止所有 XSS 攻击方面并非 100% 成功,您仍然做梦都想取消限制.
Similarly, even though the cross domain restriction on XmlHttpRequest isn't 100% successful in preventing all XSS exploits, you'd still never dream of removing the restriction.
这篇关于HttpOnly cookie 如何处理 AJAX 请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
