Cookies的Path属性是否可以针对JavaScript安全吗? [英] Is Path attribute of cookies secure against JavaScript?
问题描述
我的JavaScript应用程序可能在一个奇怪的Web服务器上的子文件夹中运行。
My JavaScript application may be run in a subfolder at a strange web server.
设置cookie安全的 Path
属性足以防止我通过管理同一服务器的其他文件夹的程序员从我为其设置Cookie的用户那里窃取秘密数据(用钱!)?
Is setting Path
attribute of a cookie secure enough to prevent stealing secret data (with money!) from a user for whom I set the cookie by programmers managing other folders of the same server?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies :
Path
属性表示所请求的URL中必须存在的URL路径才能发送Cookie标头。
The
Path
attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header.
这里没有说明该路径也必须存在于请求的URL中,以便允许该路径的JavaScript代码检索
Here it's said nothing about that the path must exist also in the requested URL also in order to allow JavaScript code of this path to retrieve the cookie.
使用JavaScript History API更改页面的URL而无需重新加载是否也安全?
Is it also secure when JavaScript History API is used to change the URL of the page without reloading?
推荐答案
这是不安全的:
https://developer.mozilla.org/zh-CN -US / docs / Web / API / Document / cookie#Security :
请注意,
path
属性不能防止来自其他路径的未经授权的Cookie读取。使用DOM可以轻松地绕过它,例如,通过使用cookie的路径创建一个隐藏的< iframe>
元素,然后访问此iframe的contentDocument.cookie
属性。保护Cookie的唯一方法是由于相同的原始策略而使用不同的域或子域。
It is important to note that the
path
attribute does not protect against unauthorized reading of the cookie from a different path. It can be easily bypassed using the DOM, for example by creating a hidden<iframe>
element with the path of the cookie, then accessing this iframe'scontentDocument.cookie
property. The only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.
这篇关于Cookies的Path属性是否可以针对JavaScript安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!