简体繁体 English

为什么跨域AJAX请求被标记为“安全风险”？

[英]Why are cross-domain AJAX requests labelled as a “security risk”?

原文 2012-02-10 12:57:00 5 2 javascript/ ajax/ json/ cross-domain/ xss

By default, browsers don't allow cross-site AJAX requests. 默认情况下，浏览器不允许跨站点AJAX请求。

I understand that a badly envisioned cross-domain request can be a security risk. 我知道，一个设想不当的跨域请求可能会带来安全风险。 If I take the html or the javascript of an external site and just "render" it into my website, that's a problem. 如果我使用外部网站的html或javascript并将其“渲染”到我的网站中，那就是一个问题。 That external code could be used for lots of bad things - like getting access to the current user's session data. 该外部代码可用于许多不良事情 - 例如访问当前用户的会话数据。

But if I only request JSON or XML data, and I use a proper library to parse the JSON (not just using eval) I can't imagine how that would be a security risk. 但是，如果我只请求JSON或XML数据，并且我使用适当的库来解析JSON（而不仅仅是使用eval），我无法想象这将是一个安全风险。 The worse that can happen is that the content coming from that site doesn't render correctly. 可能发生的更糟糕的是来自该站点的内容无法正确呈现。

Am I missing anything? 我错过了什么吗？ Is it possible to compromise a page that reads json/xml simply by sending it some kind of malicious data? 是否可以通过发送某种恶意数据来破坏读取json / xml的页面？

2 个解决方案

The risk isn't to the site making the request. 风险不是发出请求的网站。

For example: 例如：

Alice visits Her Bank and logs in. 爱丽丝访问她的银行并登录。
She then visits Evil Site. 然后她访问了Evil Site。
Evil Site uses JavaScript to cause Alice's browser to make a request to Her Bank Evil Site使用JavaScript导致Alice的浏览器向Her Bank提出请求
Her Bank responds with Alice's account details and passes them to the JavaScript 她的银行用Alice的帐户详细信息回复并将其传递给JavaScript
The JavaScript then passes them on to the controller of Evil Site JavaScript然后将它们传递给Evil Site的控制器

In a nutshell — it prevents attackers from reading private data from any site that Alice has credentials for (and ones that are behind a firewall, eg Alice's corporate Intranet). 简而言之 - 它可以防止攻击者从Alice拥有凭据的任何站点（以及防火墙后面的站点，例如Alice的企业Intranet）读取私有数据。

Note that this won't prevent attacks which don't depend on being able to read data form the site ( CSRF ), but without the Same Origin Policy the standard defence against CSRF would be easily defeatable. 请注意，这不会阻止不依赖于从站点读取数据的攻击（ CSRF ），但如果没有同源策略，对CSRF的标准防御很容易被破坏。

You're absolutely right with your second point re JSON/XML. 你的第二点是JSON / XML，你是完全正确的。 When proper precaution is taken, there is no risk in receiving JSON from another domain. 如果采取适当的预防措施，则从其他域接收JSON没有风险。 Even if the server decides to return some nasty script, you can effectively manage risk with proper data parsing. 即使服务器决定返回一些讨厌的脚本，您也可以通过适当的数据解析来有效地管理风险。 In fact, this is exactly why the JSONP hack is so popular (see twitter's search api for example). 事实上，这正是JSONP hack如此受欢迎的原因（例如，参见twitter的搜索API）。

Already we're seeing HTML5 capable browsers introduce new objects and standards for cross domain communication (postMessage - http://dev.w3.org/html5/postmsg/ and Cross-Origin Resource Sharing - http://www.w3.org/TR/cors/ ). 我们已经看到支持HTML5的浏览器为跨域通信引入了新的对象和标准（postMessage - http://dev.w3.org/html5/postmsg/和跨源资源共享 - http://www.w3.org / TR / cors / ）。