有什么意思crossdomain.xml和clientaccesspolicy.xml，例如， PHP /卷曲？ [英] What is the sense of crossdomain.xml and clientaccesspolicy.xml when there is e.g. PHP/cURL?

问题描述

假设我有一个网站，并且没有crossdomain.xml或clientaccesspolicy.xml。
$ b 这意味着人们无法通过网站访问我的网站Silverlight或Flash应用程序。

但是他们可以使用PHP（或其他语言中的等价物）中的cURL来从我的网站获取信息并将其提供给Silverlight和Flash应用程序通过REST或WebService等。

• 有人可以解释这些限制如何保护我的网站，例如来自跨域脚本？

通过脚本访问我的网站？ PHP是一种服务器端技术代码在服务器上执行，而不是在用户的机器上执行。
Silverlight是一种在用户机器上运行的客户端技术。如果Silverlight代码可以对任何域进行任意的Web请求，它将打开大量的跨站脚本攻击。



在这种情况下：

Bob去www.OnlineBanking.com并登录检查他的账户余额。他通过导航到不同的地址离开这个网站。他没有点击注销，所以他仍然登录（或者，他打开一个新的浏览器窗口/选项卡，离开银行网站仍然打开）。
Bob浏览到evil.com，这包含一个Silverlight应用程序。

Silverlight应用程序被下载并在Bob的机器上运行。

此应用程序向www.OnlineBanking.com/secretaccountdetails.html发出一个Web请求。这个文件需要认证才能读取（evil.com没有认证，所以不能访问它）。
Bob但是 IS 认证，并且请求成功。 Silverlight应用程序可以读取这个文件的内容并做任何它喜欢的事情（包括发送给evil.com）。



Silverlight中的跨域请求限制防止上述情况发生。当Silverlight应用程序向OnlineBanking.com发出请求时，它将检查跨域策略文件，因为该应用程序是从另一个域中提供的。由于OnlineBanking.com没有允许跨域请求的策略文件，请求失败，Silverlight应用程序无法下载secretaccountdetails.html。




So let's say I have a site and I do not have a crossdomain.xml or clientaccesspolicy.xml on it.

This means that people cannot access my site via Silverlight or Flash applications.

But they can use, say cURL in PHP (or the equivalent in other languages) to get the information from my site and provide it to their Silverlight and Flash applications via REST or WebService, etc.

• Can someone explain exactly how these restrictions protect my site, e.g. from cross domain scripting?

• What are they protecting against that couldn't be done with PHP/cURL and equivalents which do have access to my site via script?

解决方案

PHP is a server side technology and code executes on the server, not on the user's machine. Silverlight is a client side technology that runs on the user's machine.

If Silverlight code could make arbitrary web requests to any domain, it would open the door to a whole host of cross-site scripting attacks.

Image this scenario:
Bob goes to www.OnlineBanking.com and logs in to check his account balance. He leaves this site by navigating to a different address. He does not click "Log Out", so he is still logged in (alternatively, he opens a new browser window/tab, leaving the banking site still open).
Bob browses to evil.com, which contains a Silverlight application.
The Silverlight application is downloaded and runs on Bob's machine.
This application makes a web request to www.OnlineBanking.com/secretaccountdetails.html. This file requires authentication to read (evil.com is not authenticated so cannot access it).
Bob however IS authenticated, and the request succeeds. The silverlight application can read the contents of this file and do whatever it likes with it (including sending it to evil.com).

The cross-domain request restrictions in Silverlight prevent the above scenario from happening. When the request is made by the silverlight app to OnlineBanking.com, it will check for a cross domain policy file since the app was served from a different domain. Since OnlineBanking.com does not have a policy file allowing cross domain requests, the request fails and the Silverlight application cannot download secretaccountdetails.html.

这篇关于有什么意思crossdomain.xml和clientaccesspolicy.xml，例如， PHP /卷曲？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！