如何防止伪造请求部件 [英] How to protect widgets from forged requests
问题描述
假设你有一个JavaScript控件,它需要一个请求断火到Web应用程序,当且仅当用户想一下就可以了。你不想让你写一个iframe页面申请容易受到CSRF。基于父网站原产地继承规则将无法读取CSRF令牌。但是怎么样点击劫持(或 likejacking )?由于CSRF你必须是一个iframe中,并没有对<一个href=\"https://www.owasp.org/index.php/Clickjacking#Defending_with_response_headers\">x-frame-options不禁,同样适用于框架破坏者的事实。
Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don't want this request to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters.
攻击者会小部件加载之后申请一个 SVG面具的iframe。这种面膜会使IFRAME可见。此时攻击者可以调整的iframe是页面的大小或有这种无形的,现在的iframe跟随光标。每当用户点击页面上的任何地方无论哪种方式,在iframe接收click事件和它的游戏。
The attacker is going to apply an SVG mask the iframe after the widget has loaded. This mask will make the iframe invisible. At this point the attacker can either resize the iframe to be the size of the page or have this now invisible iframe follow the cursor. Either way whenever the user clicks anywhere on the page, the iframe receives the click event and its game over.
因此,有一个对偶,看来你被卡住CSRF和点击劫持的。什么是最好的解决方案(如果有的话),这个问题?
So there is a duality, it seems you are stuck between CSRF and Clickjacking. What the best solution (if any) to this problem?
推荐答案
点击小部件需要打开一个含有新的页面弹出窗口 - 一个iframe不够好,那一定是一个新的窗口 - 这完全是你的Web应用程序的控制下。确认操作时,不管它是什么,该网页上。
Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.
是的,这是有点不雅,但present Web安全架构没有给你任何更好的选择。
Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.
这篇关于如何防止伪造请求部件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
