跨站点脚本要求使得我的API没用 [英] Cross-Site Scripting requirement makes my API useless

问题描述

也许我只是不理解这个权利，但是这似乎并没有道理给我。
我有一个MVC4项目露出一个ASP.NET的WebAPI。它的伟大工程打电话到该项目中的API，但显然从另一个正在运行的项目（另一个端口），使得它的调用需要跨站点脚本。

Maybe I'm just not understanding this right, but this doesn't seem to make sense to me. I have an MVC4 project exposing an ASP.NET WebApi. It works great making calls to the API within that project, but obviously making calls to it from another running project (on another port) requires cross-site scripting.

但这里是我的问题：这是否击败API的目的是什么？如果我要拨打电话，从我的网站reddit的API，这被认为是跨站点脚本的事实使得它不仅是一个不错的安全性，但在某些情况下是不可能的。

But here's my question: Doesn't this defeat the purpose of an API? If I want to make calls to the reddit API from my site, the fact that this is considered cross-site scripting makes it not only a bad security practice, but in some cases impossible.

如果XSS需要做到这一点，并没有使AJAX pretty无用作为一个整体？

If XSS is required to do this, doesn't that make AJAX pretty useless as a whole?

推荐答案

答案很简单：当然不是！ pretty太多整个现代网络是建立在AJAX，如果它是如此的没有意义的它绝不会从MS专有的API去是Web 2.0的骨干，所有已经来了，因为

Simple answer: Of course not!! Pretty much the whole of the modern web is built on AJAX, if it was so pointless it would never have gone from a MS proprietary API to being the backbone of web 2.0 and all that has come since.

复回答：首先， XSS 是一种形式攻击/漏洞，请求不是一种形式。什么你指的是同源策略，这限制了AJAX请求到同一个域出于安全原因。

Complex answer: Firstly, XSS is a form of attack/vulnerability, not a form of request. What you're referring to is the same-origin policy, which limits AJAX requests to the same domain, for security reasons.

JSONP 的通常用于使异步请求第三方的API。您的的的API通常会坐在同一个域中你的网站，所以你不会有问题。如果你的API必须在另一个领域，你可以看一下 CORS 或的设置透明的反向代理你的请求转发到另一台服务器。

JSONP is typically used to make async requests to third party APIs. Your own API will typically sit on the same domain as your website so you will not have problems. If your API must be on another domain, you can either look at CORS or setup of a transparent reverse proxy to forward your requests to another server.

希望这一切是有道理的，它会至少给你的知识了良好的基础构建而成。

Hopefully this all makes sense, it'll at least give you a good foundation of knowledge to build from.

这篇关于跨站点脚本要求使得我的API没用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！