什么是使用跨域XMLHtt prequest的安全隐患？ [英] What are the security risks in using cross-domain XMLHttpRequest?

问题描述

在很多地方我见过的人都谈到了跨域XMLHtt prequest，这是不可能的，由于一些安全原因。但是，我还没有找到一个职位，指示这些安全原因实际上是？

In many places I've seen people have talked about the Cross-Domain XMLHttpRequest, which is not possible, due to some security reasons. However, I haven't found a post indicating what those security reasons actually are?

人们已经提到，JSONP是不错的选择之一。另一种方法是使用原产地和访问控制 - 允许 - 原产地头。

People have mentioned that JSONP is one of the good alternatives. Another alternative would be to use Origin and Access-Control-Allow-Origin headers.

不过，我只是想知道什么安全问题可能会由于跨域XMLHtt prequest使用率提高？

However, I just want to know what security problems can be raised due to cross-domain XMLHttpRequest usage?

推荐答案

我认为这将是最好的回答你，为什么这将是惨痛的坏例子中的问题。

I think it would be best to answer your question of an example of WHY it would be horrendously bad.

您到我的网站（example.org）。我打开一个脚本，让客户端AJAX请求facebook.com/messages/from/yourgirlfriend~~V。你碰巧登录到Facebook和您的浏览器告诉Facebook的，我的要求其实是你。 Facebook的开心地给了我的要求，你想尝试奇怪的性事的消息。我现在知道的东西对你，你可能不想让我知道。

You go to my website (example.org). I load a script that makes a client-side AJAX request to facebook.com/messages/from/yourgirlfriend. You happened to be logged in to facebook, and your browser tells Facebook that my request is actually you. Facebook happily gives my request that message about the strange sexual things you want to try. I now know things about you you probably didn't want me to know.

这当然是野生的夸张，幸运的是没有可能由于同源策略。

This, of course is a wild exaggeration, and thankfully not possible thanks to the same origin policy.

不要你现在感觉更安全？

Don't you feel safer now?

这篇关于什么是使用跨域XMLHtt prequest的安全隐患？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！