HTML5 Web数据库安全 [英] HTML5 Web Database Security
问题描述
应该使用HTML5数据库来存储任何形式的私人信息吗?
Should the HTML5 database be used to store any form of private information?
假设我们有以下场景:
Say we have the following scenario;
您正在浏览网络邮件客户端,在您关闭网络浏览器后输入了一些信息后,使用网络数据库存储邮件草稿。
You're browsing a web-mail client, that uses the web database to store mail drafts after you've written some information you close the web browser. What's to stop me from getting access to this information?
如果网页在打开用户脚本时试图清除旧信息,可能会阻止网站完全加载和然后搜索数据库。此外,通过网络邮件客户端的源可以轻松获得数据库和表的名称。
If the webpage tries to clean out old information when opened a user-script could easily prevent the website from fully loading and then search through the database. Furthermore the names of databases and tables are easily available through the web-mail client's source.
推荐答案
外部参与者访问用户的数据库是通过直接访问用户的计算机,或者如果您的Web应用程序有一个安全漏洞(如XSS - 跨站点脚本)。否则,标准浏览器安全性指示只有在特定域的网页中运行的脚本才能访问在同一域(同一来源策略)上创建/存储的数据库,阻止您创建跨网域Ajax请求的相同内容,或读取其他
The only way an external party could access the user's database is via direct access to the user's computer, or if your web app has a security vulnerability (such as XSS - Cross Site Scripting). Otherwise standard browser security dictates that only scripts running in web pages from a certain domain can access databases that were created/stored on that same domain (same origin-policy), same thing that stops you making cross-domain Ajax requests, or reading other website's cookies, all of which can be overcome via an XSS attack.
对我来说,存储草稿电子邮件似乎相当明智,而信用卡详细信息,密码等等。应该专门存储在服务器端。您需要根据您要存储的内容拨打电话,了解应该存储在哪里。
To me, storing a draft email seems reasonably sensible, whereas things like credit card details, passwords etc. should be stored exclusively server-side. You'll need to make a call as to what should be stored where, based on what you're going to store.
这篇关于HTML5 Web数据库安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
