前缀来自ASP.NET Core的所有JSON响应以防止XSSI攻击 [英] Prefix all JSON responses from ASP.NET Core to prevent XSSI attacks

问题描述

我想用众所周知的字符串)]}'，\ n" 为来自ASP.NET Core的所有JSON响应添加前缀，以防止XSSI攻击.(请参见 https://angular.io/docs/ts/最新的/guide/security.html#!#xss 了解更多信息.)

I would like to prefix all JSON responses from ASP.NET Core with the well-known string ")]}',\n", to prevent XSSI attacks. (See https://angular.io/docs/ts/latest/guide/security.html#!#xss for more details.)

这怎么实现?我认为我应该使用过滤器或中间件，但不能完全找到正确的方法.

How could this be accomplished? I think I should use a filter or middleware, but can't quite work out the correct approach.

推荐答案

是的，可以使用如下所示的中间件或过滤器:

Yes, it is possible with a middleware or a filter like below:

public class EditResponseFilter : Attribute, IAsyncResourceFilter
{
    private const string _prefix = ")]}',\n";

    public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
    {
        var originBody = context.HttpContext.Response.Body;

        var newBody = new MemoryStream();

        //Body replacement is needed to make the response stream readable
        context.HttpContext.Response.Body = newBody;

        await next();

        newBody.Seek(0, SeekOrigin.Begin);

        string json = new StreamReader(newBody).ReadToEnd();

        context.HttpContext.Response.Body = originBody;

        await context.HttpContext.Response.WriteAsync(_prefix + json);
    }
}

这篇关于前缀来自ASP.NET Core的所有JSON响应以防止XSSI攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！