jQuery JSONP安全性 [英] jQuery JSONP Security

问题描述

我试图说服一个团队，与不受信任的第三方一起使用jQuery JSONP调用可能是不安全的.我正在使用标准jQuery代码:

Am trying to convince a team that using jQuery JSONP call with a untrusted third-party might be insecure. Am using standard jQuery code:

$.ajax({
    url:unsecureserver+"?json_callback=?",
    dataType:'jsonp'
    success:function(data) {
        // doing processing here
    }
});

我需要一些帮助，以返回可能导致问题的哪种不安全数据；例如显示警报消息.例如像这样的JSON语句:

I need some help on what kind of insecure data to return which could cause issues; e.g. show an alert message. e.g. a JSON statement like:

 { "success": true } alert('hi');

有人建议我将上面的内容替换为jQuery吗?

Any suggestions what I should replace the above with so that it works with jQuery?

推荐答案

JSON包含使用script标记的javascript文件，并且响应应包含以json_callback参数命名的函数.这意味着任何代码都可以运行.通过以下呼叫:

JSON includes a javascript file using the script tag and the response should include a function which is named after the json_callback parameter. This means that any code can be run. With the following call:

$.ajax({
    url:unsecureserver+"?json_callback=callback",
    dataType:'jsonp'
    success:function(data) {
        // doing processing here
    }
});

响应中可能包含不安全的代码:

The response which may contain insecure code:

document.write('evil content');
alert('hi');
callback({ "success": true });

这篇关于jQuery JSONP安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！