angularjs ui路由器解析不安全吗?
[英]isn't the angularjs ui-router resolve insecure?
问题描述
If i have the current state 
如果我当前状态
.state("display",
{url:"/display",templateUrl:"display.ng.html",
controller:"DisplayController",
controllerAs:"displayController"})
and I add a resolve to the state so that only logged in people can access the route, such as: 并且我为状态添加了一个解决方案,以便只有登录的人才能访问该路由,例如:
resolve: {
"currentUser": ["$meteor", function($meteor){
return $meteor.requireUser();
}]
}
*taken from http://angular-meteor.com/tutorial/step_08 *摘自http://angular-meteor.com/tutorial/step_08
Doesn't this create a security hole? 这不会造成安全漏洞吗?
Can't anyone open up the console in their browser and "re-write" the route so that it doesn't require the user? 任何人都不能在他们的浏览器中打开控制台并“重写”路由,从而不需要用户吗?
1 个解决方案
解决方案1
1 已采纳 2015-06-30 14:59:22
If we target the question set forward, "Yes" would be the short answer. 如果我们针对提出的问题,“是”将是简短的答案。 The truth behind that answer is though, it wasn't designed to be secure as it is impossible. 答案背后的真相是,它并不是为了确保安全而设计的,因为这是不可能的。 The second the user/client has finished downloading the page, they technically have full access to everything you gave them. 用户/客户端完成页面下载的第二秒,从技术上讲,他们可以完全访问您提供给他们的所有内容。 No matter how many client-side precautions you take, people could just save your files, edit them as they please and reload the page using those files. 无论您采取了多少客户端预防措施,人们都可以保存您的文件,根据需要对其进行编辑,然后使用这些文件重新加载页面。 They could go to which ever route they wanted, run what ever javascript they wanted, etc. 他们可以选择所需的路线,运行所需的javascript等。
What does this mean? 这是什么意思? Never trust the user. 永远不要信任用户。 Ever. 永远。 If you don't want someone to see something, don't include it -at all- in the response. 如果您不希望某人看到某些东西,则不要在响应中完全包含它。 If you hide it clientside, nothing stops the user opening up the source viewer and just digging in files to find it. 如果将其隐藏在客户端,则不会阻止用户打开源查看器,而只是在文件中进行查找即可。 Even if you minify and everything, someone out there, with enough drive, can find everything. 即使您精简了所有内容,但只要有足够的动力,那里的某人就能找到所有内容。
Same applies with API calls, socket communication, etc. The Client can send whatever they want. API调用,套接字通信等同样适用。客户端可以发送他们想要的任何内容。 If they know the URL, expected data and sending method, they can just create their own fake client and send whatever they hell they want. 如果他们知道URL,预期数据和发送方法,则只需创建自己的假客户端并发送他们想要的任何东西。 This is why clientside validation is pretty much only useful for UI reasons (flagging boxs as red, saving time by refusing forms, etc) but you MUST revalidate and recheck -everything- server side to. 这就是为什么客户端验证仅出于UI原因(将框标记为红色,通过拒绝表单节省时间等)非常有用,但是您必须重新验证并重新检查服务器端的所有内容。
tl;dr - Yes it's "insecure" but it's not angular/ui router's fault. tl; dr-是的,这是“不安全的”,但这不是角度/ ui路由器的故障。 It's just the way it is with clientside development. 这就是客户端开发的方式。 If you don't want a user who doesn't have access to see something, don't include it AT ALL in the data/files you send them. 如果您不希望没有访问权限的用户看到某些内容,请不要将其完全包含在您发送给他们的数据/文件中。 Detect it and strip it out serverside. 对其进行检测并将其剥离到服务器端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.