允许跨域Ajax请求 [英] allow cross domain ajax requests

问题描述

在我的项目，我需要让其他人发送Ajax请求给我的脚本。因此，外部请求可能来自其他网站和域名，也许从浏览器扩展。
我只是增加这两条线在我的脚本的顶部，让他们做到这一点：

 头（访问控制 - 允许 - 产地：*'）;
标题（访问控制 - 允许 - 方法：GET，POST）;
 

现在我的问题是这样的：在这里保安的原因我已经错过了？这是否简单的解决方案使严重的问题？
如果是这样，有什么更好的解决办法？

感谢您的答复。

解决方案

正如上面提到的，任何人都可以在任何时间请求发送到你网页：所以你需要的主要安全问题是验证用户输入，只显示信息供市民食用。但是，这适用于所有的脚本。

这两个主要问题，你需要专注于（验证用户输入之后）有：

1. 您可能会有的问题是接收信息到其脚本的用户。取决于浏览器（和甚至之间相同的浏览器的口味）有一些prevent他们得到的信息返回不同的安全规则。一个常见的​​解决方案是为后面提供的信息为JSONP，这是包装的返回值可以由客户端执行的函数调用。这里有一个简单的例子（摘自<一个href="http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/">http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/).为了进一步锁定了，你能坚持，所有查询都JSONP并拒绝任何人不发送回调函数。

 ＆LT; PHP

标题（内容类型：应用程序/ JSON;字符集= UTF-8）;
$数据=阵列（1，2，3，4，5，6，7，8，9）;
回声$ _GET ['回调']。 （.json_en code（$的数据）。）;

？＆GT;
 

1. 在有人拨打过定期滥用你的服务。该解决方案是陷阱的IP地址，如果你得到一个IP地址太多调用拒绝。并非万无一失，但它是一个开始。

其他的因素要记住：

• 饼干和脚本设置其他头可能会被忽略
• 同样适用于会议

In my project , I need to allow others send ajax requests to my script . So external requests may come from other websites and domains and maybe from browser extensions.
I've added simply these two lines at top of my script to let them do it:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');  

Now my question is this : Is here any security consideration I've missed? does this simple solution make serious problems?
If so , what is the better solution?

Thanks for response.

解决方案

As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.

The two main issues you need to concentrate on (after validating user input) are:

1. The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.

.

<?php

header('content-type: application/json; charset=utf-8');
$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
echo $_GET['callback'] . '('.json_encode($data).')';

?>

1. Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.

Other factors to bear in mind:

• cookies and other headers set by your script will probably be ignored
• same applies to sessions

这篇关于允许跨域Ajax请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！