为什么对XMLHttpRequest使用相同的原始策略 [英] Why same origin policy for XMLHttpRequest

问题描述

为什么浏览器将相同的原始策略应用于XMLHttpRequest?对于开发人员而言，这确实很不方便，但实际上并不能阻止黑客. 有一些解决方法，它们仍然可以包含来自外部来源(JSONP的强大功能)的javascript.

Why do browsers apply the same origin policy to XMLHttpRequest? It's really inconvenient for developers, but it appears it does little in actually stopping hackers. There are workarounds, they can still include javascript from outside sources (the power behind JSONP).

在很大程度上相互联系的网络中，这似乎是过时的功能".

It seems like an outdated "feature" in a web that's largely interlinked.

推荐答案

因为XMLHttpRequest传递了用户的身份验证令牌.如果用户使用基本身份验证或某些Cookie登录到example.com，然后访问了Attacker.com，则后者站点可以创建对example.com的XMLHttpRequest，并且具有对该用户的完全授权，并可以读取该用户可以访问的任何私有页面(然后将其转发回攻击者).

Because an XMLHttpRequest passes the user's authentication tokens. If the user were logged onto example.com with basic auth or some cookies, then visited attacker.com, the latter site could create an XMLHttpRequest to example.com with full authorisation for that user and read any private page that the user could (then forward it back to the attacker).

因为在Web应用程序页面中放置秘密令牌是阻止简单的跨站点请求伪造攻击的方法，所以这意味着Attacker.com可以在example.com上执行用户可以在example.com上进行的任何页面上的操作，而无需获得任何同意或互动.他们.全局XMLHttpRequest是全局跨站点脚本.

Because putting secret tokens in webapp pages is the way to stop simple Cross-Site-Request-Forgery attacks, this means attacker.com could take any on-page actions the user could at example.com without any consent or interaction from them. Global XMLHttpRequest is global cross-site-scripting.

(即使您有未通过身份验证的XMLHttpRequest版本，也仍然存在问题.例如，攻击者可能向您的Intranet上的其他非公共计算机发出请求，并读取可以从中下载的任何文件<script>标签已经受到这种形式的漏洞的一种有限形式的困扰，但是XMLHttpRequest的完全可读的响应将泄漏所有类型的文件，而不是一些可以解析的不幸的文件作为JavaScript.)

(Even if you had a version of XMLHttpRequest that didn't pass authentication, there are still problems. For example an attacker could make requests out to other non-public machines on your intranet and read any files it can download from them which may not be meant for public consumption. <script> tags already suffer from a limited form of this kind of vulnerability, but the fully-readable responses of XMLHttpRequest would leak all kinds of files instead of a few unfortunately-crafted ones that can parse as JavaScript.)

这篇关于为什么对XMLHttpRequest使用相同的原始策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！