使用 $.support.cors = true 是否安全;在 jQuery 中? [英] Is it safe to use $.support.cors = true; in jQuery?
问题描述
我试图使用 jQuery 的 ajax 方法访问不同域上的 Web 服务.经过一些研究,它看起来不允许这是为了防止跨站点脚本而设计的.
I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.
我遇到了一个解决方法,其中包括这一行:
I came across a work around which was to include this line:
$.support.cors = true;
在我的 javascript 代码的顶部.据我了解,这可以在 jQuery 中启用跨站点脚本.
at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.
拥有这行代码是否会使我的网站更容易受到攻击?我一直听说 XSS 是一个安全问题,XSS 有合法用途吗?
Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?
推荐答案
XSS 不是可以在 jQuery 中启用的功能.如果 jQuery 核心存在 XSS 漏洞,那将是非常非常不寻常的,但它是可能的,它被称为 基于DOM的XSS.
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
跨域资源共享"或 CORS 与 XSS 不同,但是,但是如果 Web 应用程序存在 XSS 漏洞,那么攻击者将拥有类似 CORS 的访问权限该域上的资源.简而言之,CORS 让您可以控制如何打破同源政策,这样您就不需要全面介绍 XSS 漏洞.
"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.
$.support.cors 查询功能依赖于 Access-Control-Allow-Origin HTTP 响应标头.这可能是一个漏洞.例如,如果 Web 应用程序在每个页面上都有 Access-Control-Allow-Origin: *,那么攻击者将拥有与 XSS 漏洞相同的访问级别.请注意您引入 CORS 标头的页面,并尽量避免使用 *.
The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.
所以回答您的问题:NO Web 应用程序永远不需要引入 XSS 漏洞,因为有一些方法可以绕过 SOP,例如 CORS/jsonp/跨域代理/access-control-origin.
So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.
这篇关于使用 $.support.cors = true 是否安全;在 jQuery 中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
