为什么跨域JSONP安全,但跨域JSON不安全? [英] Why is cross-domain JSONP safe, but cross-domainJSON not?
问题描述
我在连接一些最近了解到JSONP的点时遇到了麻烦.这是我的理解:
- 由于相同的原始策略,禁止任何内容(包括JSON)的跨域XmlHttpRequests.这样可以防止XSRF.
- 允许您使用带有返回JSONP的src的脚本标签-在对Javascript函数的调用(例如'Foo')的调用中填充一些JSON
- 您可以在页面上实现一些'foo'的实现,该实现将在返回JSONP数据时被调用,并且您可以对通过函数传递的JSON数据进行处理
为什么通过JSONP来接收跨域数据,为什么不能通过JSONP来接收跨域数据呢?
是否假设JSON易于允许XSRF但JSONP不允许?如果是这样,除了JSONP之外,是否有其他原因导致某种事实数据格式无法提供支持XSRF的数据?为什么使用JSONP而不是XML上的任意根标记呢?
在此先感谢您的回答,请先弄清楚我的大脑.
我不知道如何理解JSONP是安全的,但请参见
因此,JSON-P被许多人视为不安全且容易破解 跨域Ajax的方法,这是有充分理由的.作者必须是 勤于仅对他们调用的远程Web服务进行此类调用 控制或隐式信任,以免使其用户受约束 伤害.
和
此提案最关键的一点是浏览器供应商必须 开始对接收JSON-P的脚本标签强制执行此规则 内容,并在任何内容上引发错误(或至少停止处理) 不一致的JSON-P内容.
两个引号均来自 http://json-p.org/.
其他链接以及有关JSONP/安全性的一些有用信息:
- http: //beebole.com/en/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
- 使用Ajax跨域限制-JSON
- 具有真正REST的JSONP含义
所有这些都说明了两点-基本上,它不被认为是安全的",但是对于如何使其变得更安全"也有一些想法……尽管大多数想法都依赖于标准化和特定的检查逻辑以内置到浏览器等中. /p>
I'm having trouble connecting some dots having recently learned of JSONP. Here's my understanding:
- Cross-domain XmlHttpRequests for any content (including JSON) is banned, due to the same origin policy. This protects against XSRF.
- You are permitted to have a script tag with a src that returns JSONP - some JSON padded inside a call to a Javascript function (say 'Foo')
- You can have some implementation of 'foo' on the page that will get called when the JSONP data is returned, and you can do things with the JSON data that function is passed
Why is it OK to receive cross-domain data if it came via JSONP, but not if it came via JSON?
Is there an assumption that JSON is prone to permitting XSRF but JSONP is not? If so, is there any reason for that other than JSONP being some de-facto data format that won't ever provide data that enables XSRF? Why JSONP and not some arbitrary root tag on XML instead?
Thank you in advance for your answers, please make my brain work again after failing to figure this one out.
I don't know how the perception that JSONP is safe came up but see
JSON-P is, for that reason, seen by many as an unsafe and hacky approach to cross-domain Ajax, and for good reason. Authors must be diligent to only make such calls to remote web services that they either control or implicitly trust, so as not to subject their users to harm.
and
The most critical piece of this proposal is that browser vendors must begin to enforce this rule for script tags that are receiving JSON-P content, and throw errors (or at least stop processing) on any non-conforming JSON-P content.
both quotes from http://json-p.org/ .
other links with some useful information about JSONP/security:
- http://beebole.com/en/blog/general/sandbox-your-cross-domain-jsonp-to-improve-mashup-security/
- Cross Domain Limitations With Ajax - JSON
- JSONP Implications with true REST
all these tell 2 things - basically it is not considered "safe" but there are ideas on how to make it "safer"... though most ideas rely on standardization AND specific check logic to be built into browsers etc.
这篇关于为什么跨域JSONP安全,但跨域JSON不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
