最佳实践:合法的跨站点脚本
[英]Best Practice: Legitimate Cross-Site Scripting
问题描述
While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary. 
虽然跨站点脚本通常被认为是负面的,但我遇到了一些必要的情况。
I was recently working within the confines of a very limiting content management system. 我最近在一个非常有限的内容管理系统的范围内工作。 I needed to include database code within the page, but the hosting server didn't have anything usable available. 我需要在页面中包含数据库代码,但托管服务器没有任何可用的可用内容。 I set up a couple bare-bones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). 我在自己的服务器上设置了几个简单的脚本,最初认为我可以使用AJAX将脚本的内容直接导入到CMS的模板中(从而保留动态图像,菜单项,CSS等)。 I was wrong. 我错了。
Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. 由于XMLHttpRequest对象的限制,无法从其他域获取内容。 So I thought iFrame - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content so that it would appear native. 所以我认为iFrame - 即使我不是框架的粉丝,我认为我可以创建一个与内容的宽度和高度相匹配的框架,这样它就会显得原生。 Again, I was blocked by cross-site scripting "protections." 再次,我被跨站脚本“保护”阻止了。 While I could indeed load a remote file into the iFrame , I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page. 虽然我确实可以将远程文件加载到iFrame中 ,但我无法在主机页面或加载页面内部执行JavaScript来修改其大小。
In this particular scenario, I wasn't able to point a subdomain to my server. 在这种特殊情况下,我无法将子域指向我的服务器。 I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript. 我也无法在CMS服务器上创建可以从我的服务器代理内容的脚本,所以我最后的想法是使用远程JavaScript。
A remote JavaScript works. 远程JavaScript工作。 It breaks when the user has JavaScript disabled, which is a downside; 当用户禁用JavaScript时,它会中断,这是一个缺点; but it works. 但它的确有效。 The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. 我使用远程JavaScript时遇到的“问题”是我必须使用JS函数document.write()来输出任何内容。 Any output that isn't JS causes script errors. 任何不是JS的输出都会导致脚本错误。 In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors. 除了对每一行使用document.write() ,还必须确保内容被转义 - 否则最终会出现更多脚本错误。
My solution was as follows: 我的解决方案如下:
My script received a GET parameter ("page") and then looked for the file ( {$page}.php ), and read the contents into a variable. 我的脚本收到一个GET参数(“页面”),然后查找文件( {$page}.php ),并将内容读入变量。 However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters ( \\n ) followed by escaping all required characters. 但是,我必须使用笨拙的缓冲技术才能实际执行包含的脚本(用于数据库交互等),然后删除所有换行符( \\n )的最终内容,然后转义所有必需的字符。 The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template. 最终结果是我的原始脚本(输出JavaScript)访问我服务器上看似“标准”的脚本,并将其标准输出转换为JavaScript以便在CMS模板中显示。
While this solution works, it seems like there may be a better way to accomplish the same thing. 虽然这个解决方案有效,但似乎可能有更好的方法来完成同样的事情。 What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain? 使跨站点脚本工作专门用于包含来自完全不同的域的内容的最佳方法是什么?
5 个解决方案
解决方案1
14 已采纳 2008-09-09 20:01:19
You've got three choices: 你有三个选择:
- Create a server side proxy script . 创建服务器端代理脚本 。
Create a remote script to read in remote dynamic HTML.
创建远程脚本以读取远程动态HTML。 Use a library like jQuery to make this easier. 使用像jQuery这样的库来简化这个过程。 You can use the load function to inject HTML where needed. 您可以使用load函数在需要的地方注入HTML。 EDIT What I originally meant for example # 2 was utilizing JSONP , which requires the server side script to recognize the "callback=?" 编辑我最初的意思是#2使用JSONP ,它要求服务器端脚本识别“callback =?” param. PARAM。 Use a client side Flash proxy and setup a crossdomain.xml file on your server's web root.
使用客户端Flash代理并在服务器的Web根目录上设置crossdomain.xml文件。
解决方案2
2 2008-09-09 19:12:55
Personally, I would call to that other domain on the server and get and parse the data there for use in your page. 就个人而言,我会调用服务器上的其他域并获取并解析数据,以便在您的页面中使用。 That way you avoid any problems and you get the power of a server-side language/platform for getting and parsing the data. 这样就可以避免任何问题,并且您可以获得服务器端语言/平台的强大功能来获取和解析数据。
Not sure if that would work for your specific scenario...hard to know even with your verbose description... 不确定这是否适用于您的特定场景......即使您的详细描述也很难知道......
解决方案3
1 2009-07-05 21:32:53
您可以尝试使用easyXDM ,通过包含非常少的代码,您可以在不同域的文档之间传递数据或方法调用。
解决方案4
0 2010-05-10 12:27:27
iframe remote content can be accessed by local javascript. iframe远程内容可以通过本地javascript访问。
The remote server just have to set the document.domain of the page. 远程服务器只需设置页面的document.domain 。
Eg: 例如:
Site A contain an iframe with src='Site B/home.php' 站点A包含一个iframe,其中src='Site B/home.php'
home.php looks like this : home.php看起来像这样:
[php stuff]...[/php]
[script type='text/javascript']document.domain='Site A'[/script]
解决方案5
0 2008-09-15 17:43:08
I've come across that YDN server side proxy script before. 我之前遇到过YDN服务器端代理脚本 。 It says it's built to work with Yahoo's Search APIs. 它表示它是与雅虎的搜索API一起使用的。
Will it work with any domain, if you simply trim the Yahoo API code out? 如果您只是修改Yahoo API代码,它是否适用于任何域? Or do you need to replace it with the domain you want it to work with? 或者您是否需要将其替换为您希望它使用的域?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.