jQuery JSONP安全性 [英] jQuery JSONP Security
问题描述
我试图说服一个团队,与不受信任的第三方一起使用jQuery JSONP调用可能是不安全的.我正在使用标准jQuery代码:
Am trying to convince a team that using jQuery JSONP call with a untrusted third-party might be insecure. Am using standard jQuery code:
$.ajax({
url:unsecureserver+"?json_callback=?",
dataType:'jsonp'
success:function(data) {
// doing processing here
}
});
我需要一些帮助,以返回可能导致问题的哪种不安全数据;例如显示警报消息.例如像这样的JSON语句:
I need some help on what kind of insecure data to return which could cause issues; e.g. show an alert message. e.g. a JSON statement like:
{ "success": true } alert('hi');
有人建议我将上面的内容替换为jQuery吗?
Any suggestions what I should replace the above with so that it works with jQuery?
推荐答案
JSON包含使用script标记的javascript文件,并且响应应包含以json_callback参数命名的函数.这意味着任何代码都可以运行.通过以下呼叫:
JSON includes a javascript file using the script tag and the response should include a function which is named after the json_callback parameter. This means that any code can be run. With the following call:
$.ajax({
url:unsecureserver+"?json_callback=callback",
dataType:'jsonp'
success:function(data) {
// doing processing here
}
});
响应中可能包含不安全的代码:
The response which may contain insecure code:
document.write('evil content');
alert('hi');
callback({ "success": true });
这篇关于jQuery JSONP安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!