[英]Security of WebSocket in light of no same origin connection policy
I am worried about the security implications of the fact that WebSockets can open connections to servers other than the one from which the script was loaded. 我担心WebSockets可以打开与服务器(而不是从中加载脚本的服务器)的连接的安全性。 Is there at least a plugin I can install that would tell me if a WebSocket is opening a connection to a non-originating server?
我至少可以安装一个插件,该插件会告诉我WebSocket是否打开与非起源服务器的连接? I can imagine falling victim to a Cross Site Scripting attack, which then opens up a WebSocket to some malicious server.
我可以想象成为跨站点脚本攻击的受害者,该攻击随后向某些恶意服务器开放了WebSocket。
Is this really a problem? 这真的有问题吗? If so, why is it allowed?
如果可以,为什么允许?
If you want to check whether a cross origin WebSocket is about to be opened then you can use this code: 如果要检查是否将要打开跨源WebSocket,则可以使用以下代码:
(function(w) {
var org_websocket = w.WebSocket,
reg_host = location.host.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
pattern = new RegExp("^(ws|wss)://"+reg_host+"(/.*)?$");
w.WebSocket = function(url) {
if (!pattern.test(url)) {
alert("cross site websocket");
}
return new org_websocket(url);
};
})(window);
If you ensure that it runs before any other script then you'll be in control. 如果您确保它先于其他脚本运行,那么您将得到控制。 This is still not 100% secure since the original WebSocket class can be retrieved by other means ( iframes? ).
这仍然不是100%安全的,因为可以通过其他方式(iframes)检索原始WebSocket类。 And there are probably other security holes in JavaScript that I'm not aware of.
而且我可能还没有意识到JavaScript中的其他安全漏洞。 On the other hand it is always possible to hack a client, you should not rely on that.
另一方面,黑客总是有可能的,您不应该依赖它。
Now as for security. 现在谈到安全性。 It is an issue and it can be a serious one.
这是一个问题,可能是一个严重的问题。 But on the other hand it cannot be prevented with simple HTTP either (JSONP).
但是另一方面,也无法通过简单的HTTP(JSONP)来阻止它。 That's why cross site requests policy is getting weaker (it's a big restriction for normal developers while not being secure at all).
这就是为什么跨站点请求策略变得越来越弱的原因(这对普通开发人员而言是一个很大的限制,但一点都不安全)。
For example we already have Cross Origin Resource Sharing . 例如,我们已经有了跨源资源共享 。 So it is up to developers to ensure that their WebServers are secure (ie proper escaping of whatever a user passes to the server).
因此,开发人员应确保自己的Web服务器是安全的(即,适当地转义用户传递给服务器的任何内容)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.