限制Ajax调用的起源 [英] Restrict ajax call origin
问题描述
我有一个Facebook应用程序,而有些功能需要通过AJAX运行某些sripts。有没有一种方法,以确保该脚本只能从里面我的应用程序叫什么名字?我使用jQuery的Ajax调用是这样的:
I have a facebook application, and some functionalities require some sripts running via ajax. Is there a way to ensure that the script is only called from inside my app? I use jquery for the ajax calls like this:
$.post('script.php', {var1: val1, var2: val2}, function(data){...});
。
里面的script.php的code运行一些SQL查询,只需要检查所有需要的变量都通过Ajax调用传递。
还有什么我应该检查,以便脚本只能执行,如果所谓的从我的应用程序,而不是通过显式调用?
.
The code inside script.php runs some sql queries and just check that all requested variables are passed through the ajax call.
What else should i check so that the script can only execute if called from my app and not by explicit calls?
在此先感谢。
推荐答案
有极少数的方法,你可以确保100%的把握认为Ajax请求是从您的应用程序调用。如果这是一个关键任务(高安全性)的要求,那么我会保护它,我将确保任何特定的网络资源以同样的方式:
There are very few ways that you can make sure with 100% certainty that the Ajax request is being called from your app. If that was a mission-critical (high-security) requirement, then I would secure it the same way that I would secure any particular web resource:
- 使用SSL
- 需要登录网关建立会话
- 允许请求处理之前,请检查该届会议的有效性
如果你不想去通过建立会话的麻烦,再就是少了一些,但仍然是preventing接入(因果访问,这是)非常有帮助的方式:
If you don't want to go through the hassle of establishing a session, then there are less certain, but still quite helpful means of preventing access (causal access, that is):
检查两个请求头的presence:介绍人和X-要求-方式。推荐人应该包含你的基页的URL,而X-要求,随着应该包含XMLHtt prequest。这些都可以伪造,但它需要一个更确定的黑客比别人简单地浏览到直接的URL。
Check for the presence of two request headers: Referrer and X-Requested-With. Referrer should contain the URL of your base page, and X-Requested-With should contain XMLHttpRequest. These can be faked, but it would require a much more determined "attacker" than someone simply browsing to the URL directly.
这篇关于限制Ajax调用的起源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!