简体繁体 English

在企业应用程序中禁止jQuery的策略是否有意义？

[英]Does a policy prohibiting jQuery in Enterprise applications make sense?

原文 2010-11-02 21:48:04 5 6 javascript/ jquery/ security

Are there any oustanding vulnerabilities (2) in jQuery that haven't been addressed in the latest release, for instance? 例如，jQuery中是否存在尚未在最新版本中解决的任何漏洞（2）？ Any other valid reason why security packages would flag the library as unsafe? 安全包将标记库不安全的任何其他正当理由？

This question is related to (1) but is broader in nature. 这个问题与（1）有关，但性质更广泛。

(1) - jQuery vulnerability (NVD CVE-2007-2379) （1） - jQuery漏洞（NVD CVE-2007-2379）

(2) - http://www.networkworld.com/news/2007/040207-javascript-ajax-applications.html （2） - http://www.networkworld.com/news/2007/040207-javascript-ajax-applications.html

6 个解决方案

In a word? 总之一句话？ Nope. 不。

Ask yourself this: if you're planning to develop and deploy an enterprise application that's got enough Javascript code on the client that jQuery seems like a valuable toolkit to use, how much confidence do you have in the client-side security savvy of your own development team ? 问问你自己：如果你打算开发和部署那种有那个jQuery的似乎是一个有价值的工具来使用，有多少信心，你在你自己的客户端安全精明的在客户端上有足够的Javascript代码的企业应用开发团队 ？ The "major" frameworks — Dojo, Prototype, jQuery, MooTools, even Qooxdoo — get the attention of some of the most knowledgeable and skilled Javascript coders in the industry, and a huge exposure to testing under a wide variety of conditions. “主要”框架 - Dojo，Prototype，jQuery，MooTools，甚至是Qooxdoo - 引起了业内一些知识渊博，技术最熟练的Javascript编码器的关注，并且在各种条件下都有大量的测试环境。

Besides that, it's really the case that it's your own application code anyway that's going to make or break your security story except in pretty rare cases. 除此之外，它确实是你自己的应用程序代码，除非在极少数情况下会破坏你的安全故事。

I'm going to let the hard-core security gurus give the final verdict on this one, but I think you're pretty much in the clear simply due to the nature of jQuery as a library . 我将让这位核心安全专家对此进行最终裁决，但我认为由于jQuery作为一个库的性质，你已经非常清楚了。 If there is a serious leak, it is bound to be in the underlying JavaScript core, not in a library built on top of it. 如果存在严重泄漏，则它必然位于底层JavaScript核心中，而不是基于其构建的库中。

我不相信你会在jQuery的浏览器实现中遇到核心安全漏洞的jQuery漏洞。

Jquery or javascript are not vulnerable, it's the websites developers write that are vulnerable because they don't really know the business or because from time to time there is someone smarter than the web expert. Jquery或javascript并不容易受到攻击，这是网站开发人员编写的易受攻击的网站，因为他们并不真正了解业务，或者因为有时候会有比网络专家更聪明的人。

Probably the most dangerous part would be the Ajax requests (Jquery or javascript driven ;-) ) because there is a tendance to relax in security issues. 可能最危险的部分是Ajax请求（Jquery或javascript驱动;-)）因为在安全问题上存在放松的倾向。

But that is only the beginning, in any application even if there is not a javascript line, the client / user can use javascript / jquery by himself, using the mere Firebug, that's why verifications are always mandatory in client and overall server. 但这只是一个开始，在任何应用程序中，即使没有javascript行，客户端/用户也可以单独使用javascript / jquery，使用纯粹的Firebug，这就是为什么验证在客户端和整个服务器中始终是必需的。

A quick and simple example: I can change values of a particular form by javascript even if the values are readonly etc... 一个快速而简单的例子：我可以通过javascript更改特定表单的值，即使值是只读等...

I agree that jQuery is secure and fine for the enterprise. 我同意jQuery对企业来说是安全和良好的。

However, I would add two caveats based on personal experience we encountered after approving jQuery. 但是，根据我们在批准jQuery后遇到的个人经验，我会添加两个警告。

1) jQuery itself is secure, but jQuery plugins may have vulnerabilities (think XSS). 1）jQuery本身是安全的，但jQuery插件可能存在漏洞（想想XSS）。 When we approved jQuery for use in enterprise, developers suddenly were using random 3rd party plugins which were not easy to screen for vulnerabilities. 当我们批准jQuery用于企业时，开发人员突然使用随机的第三方插件，这些插件不容易筛选漏洞。 If you are opening the door to jQuery, you need to be clear about what plugins in the jQuery ecosystem are allowed also. 如果您打开jQuery的大门，您需要清楚jQuery生态系统中的插件是否也被允许。

2) jQuery makes it very easy to do UI effects, which can be both good and bad. 2）jQuery使得UI效果非常容易，这可能既好又坏。 We handed off our UI design to a design firm, who went crazy using jQuery for complex UI effects. 我们将UI设计交给了一家设计公司，他们使用jQuery疯狂地处理复杂的UI效果。 The customer loved the visuals, but we realized too late that the jQuery UI code was cumulatively very slow in Internet Explorer. 客户喜欢视觉效果，但我们意识到，在Internet Explorer中jQuery UI代码累积起来非常慢。 As a result, we spent a lot of time optimizing their code for IE. 结果，我们花了很多时间来优化他们的IE代码。 These were not known during dev as everyone was using Firefox/Chrome, which have great JavaScript engines. 这些在开发期间并不为人所知，因为每个人都在使用具有出色JavaScript引擎的Firefox / Chrome。