如何使用JSONP来克服XSS问题? [英] How to use JSONP to overcome XSS issue?
问题描述
我在jetty服务器上执行了一段javascript,它正在向另一台服务器(wamp服务器)上的scoket发送XMLHTTPRequest。请求被发送到套接字,但XHR响应似乎被阻止。
I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the socket, however the XHR response seems to be getting blocked.
我听说我可以使用JSONP来解决这个问题。
然而,由于我不熟悉这两个javascript,我之前从未使用过JSONP技术,我非常感谢你对如何使用这种技术有任何帮助吗?
I have heard that I can use JSONP to overcome this problem. However as I am new to both javascript and I have never used JSONP technique before I would greatly appreciate any help in how to use this technique?
function sendPost(url, postdata, callback) {
xmlHttp=GetXmlHttpObject()
if (xmlHttp==null) {
alert ("Browser does not support HTTP Request")
return
}
xmlHttp.onreadystatechange=callback
xmlHttp.open("POST",url,true)
xmlHttp.send(postdata);
}
function sendInitRQ(width, height) {
var post = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><command type=\"init\"><width>" + width + "</width><height>" + height + "</height></command>";
sendPost("http://localhost:80/socket.php", post, initReturned);
}
我知道php套接字正在接收帖子我检查服务器日志我得到了200的get请求。
I know that the php socket is recieving the post as when i check the server log i get a 200 on the get request.
我只是想知道如何使用JSONP方法?
我已经看到了该方法的示例,但我仍然不确定如何做到这一点。
I just want to know how can I use the JSONP approach? I have seen exampples of the approach but Iam stilll unsure of how to do it.
推荐答案
JSONP技术使用一种完全不同的机制,用于向服务器发出HTTP请求并对响应进行操作。它需要客户端页面和服务器上的协作代码。服务器必须有一个URL,它响应HTTPGET请求,并在函数调用中包含一个JSON块。因此,您不能只对任何旧服务器执行JSONP事务;它必须是明确提供功能的服务器。
The JSONP technique uses a completely different mechanism for issuing HTTP requests to a server and acting on the response. It requires cooperating code in the client page and on the server. The server must have a URL that responds to HTTP "GET" requests with a block of JSON wrapped in a function call. Thus, you can't just do JSONP transactions to any old server; it must be a server that explicitly provides the functionality.
您的客户端代码创建< script> 动态阻止,src属性设置为JSONP服务器的URL。 URL应包含一个参数,告诉服务器您希望它使用JSON数据调用的Javascript函数的名称。 (确切地说,要使用的参数名称取决于服务器;通常它是回调,但我看到一些使用jsonp。)客户端当然必须在全局范围内具有该功能。换句话说,如果你有一个像
The idea is that your client-side code creates a <script> block dynamically, with the "src" attribute set to the URL of the JSONP server. The URL should contain a parameter telling the server the name of the Javascript function you expect it to call with the JSON data. (Exactly what parameter name to use depends on the server; usually it's "callback", but I've seen some that use "jsonp".) The client must of course have that function in the global scope. In other words, if you have a function like
function handleJSON(json) {
var something = json.something;
// ... whatever ...
}
然后你的网址告诉服务器调用handleJSON,服务器响应应如下所示:
then your URL tells the server to call "handleJSON", and the server response should look like this:
handleJSON({"id": 102, "something": { "more": "data", "random": true }});
因此当< script> 块时从您提供的srcURL加载,浏览器将解释内容(来自服务器的响应),并且将调用您的函数。
Thus when the <script> block is loaded from the "src" URL you gave, the browser will interpret the contents (the response from the server) and your function will be called.
应该清楚您应该只向您信任的服务器发出JSONP请求,因为他们正在发送代码以在您的客户端中执行,并且可以访问您的客户端与其他安全站点之间的任何活动会话。
It should be clear that you should only make JSONP requests to servers you trust, since they're sending back code to execute in your client, with access to any active session(s) your client has with other secured sites.
编辑—这是一篇很好的文章: http://www.ibm.com/developerworks/library / wa-aj-jsonp1 /
edit — Here's a nice article: http://www.ibm.com/developerworks/library/wa-aj-jsonp1/
这篇关于如何使用JSONP来克服XSS问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
