JSONP使用安全吗? [英] Is JSONP safe to use?
问题描述
使用JSONP时是否应考虑任何安全性问题?
Are there any security issues that should be considered when using JSONP?
推荐答案
更新:JSONP是执行跨域请求的常见技巧.现在,现代浏览器具有跨源资源共享,而IE8 +具有类似的XDomainRequest.有关更多信息,请参见 http://enable-cors.org/.
Update: JSONP is a common hack to do cross-domain requests. Modern browsers now have Cross Origin Resource Sharing, and IE8+ have XDomainRequest which is similar. See http://enable-cors.org/ for more info.
JSONP只是一个脚本包含,允许您使用回调.不过,您应该注意跨站点请求伪造(CSRF).
JSONP is just a script include that allows you to use a callback. You should however be aware of Cross-site request forgery (CSRF).
只要您控制脚本和服务器,JSONP就不会比脚本所包含的不安全.除非您有一个JSONP服务将敏感数据返回给登录用户.恶意站点可以向服务发送请求(希望用户登录到您的站点),并获取数据.该服务可以检查请求的引荐来源,但是可以使用Flash欺骗引荐来源(感谢Chris Moschini).
As long as you control the script and the server, JSONP isn't anymore insecure than a script include. Unless you have a JSONP-service that returns sensitive data to logged in users. A malicious site can send a request to the service (hoping that the user is logged in on your site), and retreive the data. The service can check the referrer of the request, but it is possible to spoof the referrer using flash (thanks Chris Moschini).
想象一下这个变奏: -用户登录其网上银行帐户.在用户浏览器中存储会话cookie.该站点具有jsonp服务,其中包含有关用户及其帐户的敏感信息. -其他站点将不知道用户已登录,但是他们可能会做出疯狂的猜测并尝试访问jsonp服务.由于用户具有会话cookie,因此浏览器将获得响应,并且没有任何阻止站点进行ajax发布以将敏感数据保存在其服务器上的事情.
Imagine this senario: - A user logs into his internet banking account. Storing a session cookie in the users browser. This site has a jsonp service with sensitive info about the user and his accounts. - Other sites won't know that the user is logged in, but they could do a wild guess and try to access the jsonp service. Since the user has a session cookie, the browser will get a response, and there's nothing stopping the site from doing an ajax post to save the sensitive data on their server.
2012年6月28日更新:如果您想防御CSRF攻击,则应阅读安全专家的深入博客文章:
Update June 28th 2012: If you want to protect against CSRF attacks you should read this in depth blog post by a security expert: http://erlend.oftedal.no/blog/?blogid=130
这篇关于JSONP使用安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
