堆栈内存溢出
  简体   繁体   English

我是否可以要求使用HTTPS作为画布URL以保护signed_request内容?

[英]Can I require the use of HTTPS for canvas urls to protect signed_request contents?

 原文  2011-10-12 20:58:46       facebook/ security/ oauth/ facebook-iframe/ facebook-canvas

问题描述

I am writing a new canvas app using the iframe approach. 我正在使用iframe方法编写一个新的画布应用程序。 My backend supports both HTTP and HTTPS for the canvas responses, but it seems by default Facebook puts users on HTTP and sends all the important credentials (ie access tokens in the signed_request payload, etc) directly in plain text over HTTP. 我的后端支持画布响应的HTTP和HTTPS,但默认情况下,Facebook会将用户置于HTTP上,并通过HTTP直接以纯文本形式发送所有重要凭据(即在signed_request有效负载中访问令牌等)。 This is of course a security vulnerability on shared networks (coffee shops, offices, etc, where it would be trivial to sniff the access tokens.) 这当然是共享网络(咖啡店,办公室等)的安全漏洞,在这些漏洞中嗅探访问令牌是微不足道的。)

How can I force all my canvas requests to operate over HTTPS, and protect my users credentials? 如何强制所有画布请求通过HTTPS操作,并保护我的用户凭据?

I think all developers should want - or be required - to do this. 我认为所有开发人员都应该 - 或者被要求 - 这样做。 While I am new to Facebook development, I am surprised that they would not be using HTTPS for all direct transmissions of user access tokens. 虽然我不熟悉Facebook开发,但我很惊讶他们不会将HTTPS用于所有用户访问令牌的直接传输。 Oauth 1.0 had mechanisms to enable the use of access tokens over HTTP (since requests had to be signed by the client application) but OAuth 2.0 did away with all of that in favor of using HTTPS for any request with an embedded credential. Oauth 1.0具有允许通过HTTP使用访问令牌的机制(因为请求必须由客户端应用程序签名),但OAuth 2.0取消了所有这些,支持使用HTTPS来获取具有嵌入式凭证的任何请求。 Facebook helped design OAuth 2.0 and is, afaics, undermining the security of the design by deviating from HTTPS usage in canvas requests. Facebook帮助设计了OAuth 2.0,并且是afaics,通过偏离画布请求中的HTTPS使用来破坏设计的安全性。

1 个解决方案

解决方案1
 0  2012-07-23 17:03:12

You can do this easily using PHP or JavaScript. 您可以使用PHP或JavaScript轻松完成此操作。 All you have to do is detect if the user is using HTTP and redirect them to HTTPS instead. 您所要做的就是检测用户是否正在使用HTTP并将其重定向到HTTPS。 Example: 例: 

<script>
if ( window.location.protocol == 'http:' ) {
   window.top.location = 'https://facebook.com/yourapp';
}
</script>

The above code will check if the iframe is loaded using HTTP. 上面的代码将检查是否使用HTTP加载iframe。 If it is, it will reset the parent URL (ie facebook) to point to the HTTPs version of your website (hence loading the iframe using HTTPS too). 如果是,它将重置父URL(即facebook)以指向您网站的HTTPs版本(因此也使用HTTPS加载iframe)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我的画布页面上没有收到signed_request参数 - I am not receiving the signed_request parameter on my canvas page signed_request是否安全? - Is signed_request secure? Facebook canvas身份验证:重定向后没有signed_request参数 - Facebook canvas authentication: No signed_request parameter after redirect 如何在C#中为Canvas signed_request解码OAuth 2.0? - How to decode OAuth 2.0 for Canvas signed_request in C#? 画布应用程序:signed_request POST参数的名称不同 - Canvas Apps: signed_request POST parameter is named different 如何处理iframe Canvas应用程序的Facebook signed_request? - How to handle Facebook's signed_request for iFrame Canvas applications? 可以伪造facebook的$ _REQUEST [“ signed_request”] - can facebook's $_REQUEST[ “signed_request” ] be faked 没有获得$ _REQUEST [&#39;signed_request&#39;] - Not getting $_REQUEST['signed_request'] 为什么在我所有的Facebook应用程序页面中都看不到signed_request? - why can't i see the signed_request in all my facebook application pages? 无法解析signed_request以获取Facebook注册表格 - Can't parse signed_request for Facebook registration form
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM