如何仅Http饼干AJAX请求工作? [英] How do HttpOnly cookies work with AJAX requests?
问题描述
JavaScript需要访问的cookie,如果AJAX被用在一个网站的基础上的cookie的访问限制。对一个AJAX网站将仅Http Cookie的工作?
JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site?
编辑:的微软通过禁止cookie的JavaScript的访问,如果指定的HttpOnly创建方式prevent XSS攻击。火狐后来采用了这一点。所以我的问题是:如果你在网站上使用AJAX,像计算器,是仅HTTP的cookie的选项
Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJAX on a site, like StackOverflow, are Http-Only cookies an option?
编辑2:的问题2.如果仅Http的目的是为饼干prevent JavaScript的访问,你仍然可以通过XmlHtt prequest对象检索通过JavaScript的饼干, 什么是仅Http点
Edit 2: Question 2. If the purpose of HttpOnly is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of HttpOnly?
编辑3:的下面是来自维基百科报价:
Edit 3: Here is a quote from Wikipedia:
当浏览器接收这样一个cookie,它应该使用它作为通常在下列HTTP交换,而不是使其向客户端脚本可见。[32] 的HttpOnly 标志不是任何标准的一部分,而不是在所有的浏览器实现的。需要注意的是,目前的读取或写入通过XMLHTT prequest会话cookie没有prevention。 [33]
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts.[32] The
HttpOnlyflag is not part of any standard, and is not implemented in all browsers. Note that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest. [33].
据我所知,的document.cookie 当您使用的HttpOnly被阻止。但似乎你仍然可以读取cookie值在XMLHtt prequest对象,允许XSS。如何仅Http让比你更安全?通过制作饼干基本上只读?
I understand that document.cookie is blocked when you use HttpOnly. But it seems that you can still read cookie values in the XMLHttpRequest object, allowing for XSS. How does HttpOnly make you any safer than? By making cookies essentially read only?
在你的榜样,我不会写你的的document.cookie ,但我仍然可以窃取您的cookie,并使用XMLHtt prequest对象发布到我的域名
In your example, I cannot write to your document.cookie, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object.
<script type="text/javascript">
var req = null;
try { req = new XMLHttpRequest(); } catch(e) {}
if (!req) try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) {}
if (!req) try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) {}
req.open('GET', 'http://stackoverflow.com/', false);
req.send(null);
alert(req.getAllResponseHeaders());
</script>
编辑4:的对不起,我的意思是,你可以发送XMLHtt prequest到StackOverflow的域,然后保存getAllResponseHeaders的结果()为字符串,正则表达式了饼干,然后张贴到外部域。看来,维基百科和ha.ckers我同意在这一个,但我会爱再教育......
Edit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated...
最后编辑:的啊,显然这两个网站都是错误的,这实际上是一个错误在Firefox 的。 IE6和放大器; 7实际上,目前完全支持的HttpOnly唯一的浏览器。
Final Ahh, apparently both sites are wrong, this is actually a bug in FireFox. IE6 & 7 are actually the only browsers that currently fully support HttpOnly.
要重申一切,我已经学会了:
To reiterate everything I've learned:
- 仅Http限制所有访问的document.cookie在IE7和放大器;和Firefox(不知道其他浏览器)
- 仅Http删除在IE7的响应头在XMLHttpObject.getAllResponseHeaders cookie信息()。
- XMLHttpObjects只可提交给他们起源于域,于是就有了饼干没有跨域过帐。
编辑:该信息很可能不再是最新的的
推荐答案
是的,HTTP,只有饼干就可以了这一功能。它们仍然会设置有XmlHtt prequest的请求到服务器。
Yes, HTTP-Only cookies would be fine for this functionality. They will still be provided with the XmlHttpRequest's request to the server.
在堆栈溢出的情况下,饼干被自动提供作为XmlHtt prequest请求的一部分。我不知道该堆栈溢出的身份验证提供者的实现细节,但该cookie数据可能会自动用来验证您的身份,在一个较低的水平比投票控制器方法。
In the case of Stack Overflow, the cookies are automatically provided as part of the XmlHttpRequest request. I don't know the implementation details of the Stack Overflow authentication provider, but that cookie data is probably automatically used to verify your identity at a lower level than the "vote" controller method.
更普遍,饼干的不可以需要AJAX。 XmlHtt prequest支持(甚至IFRAME远程处理,对旧的浏览器)是所有在技术上需要。
More generally, cookies are not required for AJAX. XmlHttpRequest support (or even iframe remoting, on older browsers) is all that is technically required.
不过,如果你想为启用AJAX功能提供担保,则适用同样的规则与传统的网站。你需要某种方法来识别用户的每个请求的背后,饼干几乎都是手段来实现这一目标。
However, if you want to provide security for AJAX enabled functionality, then the same rules apply as with traditional sites. You need some method for identifying the user behind each request, and cookies are almost always the means to that end.
在你的榜样,我不能写信给你的document.cookie,但我仍可以窃取您的cookie和张贴到使用XMLHtt prequest对象,我的域名。
In your example, I cannot write to your document.cookie, but I can still steal your cookie and post it to my domain using the XMLHttpRequest object.
XmlHtt prequest不会让跨域请求(正是各种你触及的原因)。
XmlHttpRequest won't make cross-domain requests (for exactly the sorts of reasons you're touching on).
您可以正常注入脚本使用的iframe远程处理或JSONP该cookie发送到您的域名,但当时仅HTTP再次保护cookie的,因为它是不可访问。
You could normally inject script to send the cookie to your domain using iframe remoting or JSONP, but then HTTP-Only protects the cookie again since it's inaccessible.
除非你已经在服务器端破坏StackOverflow.com,你就不能偷我的cookie。
Unless you had compromised StackOverflow.com on the server side, you wouldn't be able to steal my cookie.
编辑2:问题2如果目的仅HTTP是prevent cookie的JavaScript的访问,你仍然可以通过XmlHtt prequest对象检索通过JavaScript的饼干,是什么点仅HTTP?
Edit 2: Question 2. If the purpose of Http-Only is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the point of Http-Only?
考虑这种情况:
- 在我找到一个途径注入的JavaScript code到页面中。
- 杰夫加载页面和我恶意的JavaScript修改了cookie来配合我的。
- 杰夫提交一个恒星回答你的问题。
- 因为他提出与我的cookie数据,而不是他的,答案将成为我的。
- 您投了我的恒星的答案。
- 在我的真实账户获取点。
使用HTTP-只有饼干,第二个步骤是不可能的,从而击败我XSS尝试。
With HTTP-Only cookies, the second step would be impossible, thereby defeating my XSS attempt.
编辑4:对不起,我的意思是,你可以发送XMLHtt prequest到StackOverflow的域,然后保存getAllResponseHeaders()为字符串的结果,正则表达式出来的饼干,然后张贴到外部域。看来,维基百科和ha.ckers我同意在这一个,但我会爱再教育......
Edit 4: Sorry, I meant that you could send the XMLHttpRequest to the StackOverflow domain, and then save the result of getAllResponseHeaders() to a string, regex out the cookie, and then post that to an external domain. It appears that Wikipedia and ha.ckers concur with me on this one, but I would love be re-educated...
这是正确的。您仍然可以会话劫持的方式。它确实显著瘦的人的从众谁可以成功执行甚至XSS黑客对你虽然。
That's correct. You can still session hijack that way. It does significantly thin the herd of people who can successfully execute even that XSS hack against you though.
不过,如果你回到我的示例场景,您可以看到仅HTTP的确实的成功切断依赖于修改客户端的cookie(不常见)的XSS攻击。
However, if you go back to my example scenario, you can see where HTTP-Only does successfully cut off the XSS attacks which rely on modifying the client's cookies (not uncommon).
它归结为一个事实,即)没有单一的改善将解决的所有的漏洞和b)没有系统的永远的是完全安全的。仅HTTP的是在维护对XSS的有用工具。
It boils down to the fact that a) no single improvement will solve all vulnerabilities and b) no system will ever be completely secure. HTTP-Only is a useful tool in shoring up against XSS.
同样,即使在XmlHtt prequest的跨域限制是不是100%成功,preventing所有的XSS漏洞,你还在做梦也想不到去除限制。
Similarly, even though the cross domain restriction on XmlHttpRequest isn't 100% successful in preventing all XSS exploits, you'd still never dream of removing the restriction.
这篇关于如何仅Http饼干AJAX请求工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
