是否可以发出安全的JSONP请求? [英] Is it possible to make a secure JSONP request?

问题描述

我只需要支持新的浏览器.

我必须依靠外部服务来提供JSONP数据，我不拥有该服务，并且它不允许

I have to rely on an external service to provide JSONP data, I do not own that service and it does not allow CORS.

不得不信任来自外部服务器的JSONP请求让我感到非常不安，因为它们可以在我端运行任意代码，这将使它们能够跟踪我的用户，甚至窃取他们的信息.

I feel very uneasy having to trust JSONP requests from the external server, since they can run arbitrary code on my end, which would allow them to track my users, and even steal their information.

我想知道是否有什么方法可以创建同样安全的JSONP请求?

I was wondering if there was any way to create a JSONP request that is also secure?

(相关:如何可靠地保护公共JSONP请求?但不能通过新的浏览器放松)

(Related: How to reliably secure public JSONP requests? but not with the new browser relaxation)

注意::我问/回答了问与答风格，但我对其他想法持开放态度.

NOTE: I asked/answered it Q&A style, but I'm very open to other ideas.

推荐答案

是！

有可能.一种方法是使用 WebWorkers .在WebWorkers中运行的代码无法访问页面正在运行的DOM或其​​他JavaScript代码.

It is possible. One way to do it would be to use WebWorkers. Code running in WebWorkers has no access to the DOM or other JavaScript code your page is running.

您可以创建一个WebWorker并使用它执行JSONP请求，然后在完成后终止它.

You can create a WebWorker and execute the JSONP request with it, then terminate it when you're done.

该过程是这样的:

• 从具有请求网址的Blob创建WebWorker

• Create a WebWorker from a blob with the URL to request

使用importScripts使用本地回调加载JSONP请求

Use importScripts to load the JSONP request with a local callback

执行该回调时，将消息回发到脚本，该脚本随后将使用数据执行实际的回调消息.

When that callback executes, post a message back to the script, which in turn will execute the actual callback message with the data.

这样，攻击者将不会获得有关DOM的信息.

That way, an attacker would have no information about the DOM.

这是示例实现:

//   Creates a secure JSONP request using web workers.
//   url - the url to send the request to
//   data - the url parameters to send via querystring
//   callback - a function to execute when done
function jsonp(url, data, callback) {
    //support two parameters
    if (typeof callback === "undefined") {
        callback = data;
        data = {};
    }
    var getParams = ""; // serialize the GET parameters
    for (var i in data) {
        getParams += "&" + i + "=" + data[i];
    }
    //Create a new web worker, the worker posts a message back when the JSONP is done
    var blob = new Blob([
        "var cb=function(val){postMessage(val)};" +
        "importScripts('" + url + "?callback=cb" + getParams + "');"],{ type: "text/javascript" });
    var blobURL = window.URL.createObjectURL(blob);
    var worker = new Worker(blobURL);

    // When you get a message, execute the callback and stop the WebWorker
    worker.onmessage = function (e) {
        callback(e.data);
        worker.terminate();
        };
    worker.postMessage(getParams); // Send the request
    setTimeout(function(){
        worker.terminate();//terminate after 10 seconds in any case.
    },10000);
};

以下是在JSFiddle中可用的示例用法:

jsonp("http://jsfiddle.net/echo/jsonp", {
    "hello": "world"
}, function (response) {
    alert(response.hello);
});

此实现不会处理其他一些问题，但是可以阻止所有对DOM或页面上当前JavaScript的访问，可以创建

This implementation does not deal with some other issues but it prevents all access to the DOM or the current JavaScript on the page, one can create a safe WebWorker environment.

这应该适用于IE10 +，Chrome，Firefox和Safari以及移动浏览器.

This should work on IE10+, Chrome, Firefox and Safari as well as mobile browsers.

这篇关于是否可以发出安全的JSONP请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！