前缀来自ASP.NET Core的所有JSON响应以防止XSSI攻击 [英] Prefix all JSON responses from ASP.NET Core to prevent XSSI attacks
本文介绍了前缀来自ASP.NET Core的所有JSON响应以防止XSSI攻击的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想用众所周知的字符串)]}',\ n"
为来自ASP.NET Core的所有JSON响应添加前缀,以防止XSSI攻击.(请参见 https://angular.io/docs/ts/最新的/guide/security.html#!#xss 了解更多信息.)
I would like to prefix all JSON responses from ASP.NET Core with the well-known string ")]}',\n"
, to prevent XSSI attacks. (See https://angular.io/docs/ts/latest/guide/security.html#!#xss for more details.)
这怎么实现?我认为我应该使用过滤器或中间件,但不能完全找到正确的方法.
How could this be accomplished? I think I should use a filter or middleware, but can't quite work out the correct approach.
推荐答案
是的,可以使用如下所示的中间件或过滤器:
Yes, it is possible with a middleware or a filter like below:
public class EditResponseFilter : Attribute, IAsyncResourceFilter
{
private const string _prefix = ")]}',\n";
public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
{
var originBody = context.HttpContext.Response.Body;
var newBody = new MemoryStream();
//Body replacement is needed to make the response stream readable
context.HttpContext.Response.Body = newBody;
await next();
newBody.Seek(0, SeekOrigin.Begin);
string json = new StreamReader(newBody).ReadToEnd();
context.HttpContext.Response.Body = originBody;
await context.HttpContext.Response.WriteAsync(_prefix + json);
}
}
这篇关于前缀来自ASP.NET Core的所有JSON响应以防止XSSI攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文