JavaScript 可以安全地从不受信任的域中获取数据吗?
[英]Can JavaScript safely fetch data from untrusted domains?
问题描述
My webpage has a need to fetch data in a client-side-initiated way from domains which may (sometimes**) be untrusted/attacker-controlled.
我的网页需要以客户端启动的方式从可能(有时**)不受信任/攻击者控制的域中获取数据。
Does JavaScript allow to [safely] fetch data* from a domain which may be untrusted or attacker-controlled? JavaScript 是否允许 [安全地] 从可能不受信任或攻击者控制的域中获取数据*?
If so, what function is this?如果是这样,这是什么function?
Clarifications / Addendums / "inb4"s / PS:澄清/附录/“inb4”/ PS:
*The data fetch protocol/format is not [yet] defined; *数据获取协议/格式尚未[尚未]定义; not even as far as HTTP GET vs POST.甚至没有 HTTP GET vs POST。 I have no preference on the data format and may choose+implement it as required/appropriate, inclusive even of plaintext/delimited formats.我对数据格式不偏爱,可以选择+根据需要/适当的,甚至包括纯文本/划界格式实施。 There is no requirement to use JSON .没有要求使用 JSON 。
** Technically , the domains (which may be arbitrary/user-defined;) must sometimes be loaded over HTTP, this threat model is isomorphic to fetching data from adversarial servers. **从技术上讲,域(可能是任意的/用户定义的;)有时必须通过 HTTP 加载,这种威胁 model 与从对抗服务器获取数据同构。 especially in the context of roaming non-VPN'd network connections, (And, yes, the safe-handling of said untrusted data afterwards is out-of-scope of this question)尤其是在漫游非 VPN 网络连接的情况下,(而且,是的,之后对所述不受信任数据的安全处理超出了这个问题的范围)
XY Problem "X": the driving project here is a web browser homepage/app which will load content (ranging from preferences and trivial widgets to outright content ) from sources which may be user-controlled and may (at the user's option) reside on even non-ICANN domains (such as local domains, OpenNIC domains, etc.) It is entirely within-scope and expected/acceptable that some of this content will only be served via TLS, and may serve a variety of purposes ranging from "canaries" (of both MITM presence, and mere network configuration checking) to outright location-specific data. XY 问题“X”:这里的驱动项目是 web 浏览器主页/应用程序,它将从可能是用户控制的来源加载内容(从偏好和琐碎的小部件到直接内容),并且可能(由用户选择)驻留在即使是非 ICANN 域(例如本地域、OpenNIC 域等)。完全在范围内并且可以预期/可以接受某些内容将仅通过 TLS 提供服务,并且可以服务于从“金丝雀”等各种目的"(包括 MITM 存在和单纯的网络配置检查)到完全特定于位置的数据。 TLS connections may or may not be available due to the aforementioned suite of reasons [that the domains are not pre-defined];由于上述一系列原因[域未预定义],TLS 连接可能可用也可能不可用; and there is content which must/ought/will be loaded even despite this case.即使在这种情况下,也有必须/应该/将要加载的内容。
This is not a duplicate of #29022794 .这不是#29022794的副本。 I have no requirement to use JQuery, and that question only asks whether $.getJSON() is safe to use on untrusted URLs (which, a. it does NOT seem to be ; and b. even if it were , this question would be asking after the underlying function [that JQuery is calling], rather than asking how to use JQuery per se).我没有使用 JQuery 的要求,并且该问题仅询问$.getJSON()是否可以安全地用于不受信任的 URL(其中,a.它似乎不是;并且 b.即使它是,这个问题也会是询问底层 function [JQuery 正在调用],而不是询问如何使用 JQuery 本身)。
2 个解决方案
解决方案1
0 已采纳 2019-11-01 19:00:31
Penciling in a circumstantial yes:XMLHttpRequest appears to be safe to call on untrusted domains.在一种情况下画笔是:XMLHttpRequest似乎可以安全地调用不受信任的域。
Justifications:理由:
See OWASP's page on AJAX vulnerabilities :请参阅OWASP 关于 AJAX 漏洞的页面:
- Makes no mention of threats posed to a client by [this sort of] maliciously crafted server response;未提及 [这种] 恶意制作的服务器响应对客户端构成的威胁; the only client-side risk(s) listed are injections of one sort or another.列出的唯一客户端风险是一种或另一种注入。
See also this similar question on Security Stack Exchange另请参阅Security Stack Exchange 上的类似问题
- OP's very question (whether it is safe to parse an XMLHttpRequest to an attacker-controlled server as JSON) necessarily assumes that it's safe to receive such. OP 的问题(将 XMLHttpRequest 作为 JSON解析到攻击者控制的服务器是否安全)必然假设接收此类文件是安全的。
- Two users commented several times on the issue, discussing the implications of parsing said response, and at no point questioned this underlying assumption , only commenting on similar XSS injection attacks to those discussed by OWASP.两个用户多次评论了这个问题,讨论了解析上述响应的含义,并且从未质疑这个基本假设,只评论了与 OWASP 讨论的类似的 XSS 注入攻击。
While it's very hard to "prove" a negative, especially with security issues, the fact that there's an ocean of content online discussing risks involved in parsing potentially malicious responses (XSS injection prevention), dealing with the risks to the servers of such (CORS), etc.;虽然很难“证明”负面影响,尤其是在安全问题方面,但事实上有大量内容在线讨论解析潜在恶意响应(XSS 注入预防)所涉及的风险,处理此类服务器的风险(CORS ), ETC。; without, apparently, even one scrap of discussion on this, means it's probably not one of the risks.显然,即使没有对此进行任何讨论,也意味着它可能不是风险之一。
解决方案2
-1 2019-10-30 15:17:11
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.