简体繁体 English

在第三方网站上运行的安全JavaScript

[英]Secure JavaScript Running on 3rd Party Sites

原文 2012-02-20 22:16:57 4 2 javascript/ websocket/ faye

We have a "widget" that runs on 3rd party websites, that is, anyone who signs up with our service and embeds the JavaScript. 我们有一个在第三方网站上运行的“小部件”，即注册我们的服务并嵌入JavaScript的任何人。

At the moment we use JSONP for all communication. 目前，我们使用JSONP进行所有通信。 We can securely sign people in and create accounts via the use of an iFrame and some magic with detecting load events on it. 通过使用iFrame和一些魔术来检测负载事件，我们可以安全地登录用户并创建帐户。 (Essentially, we wait until the iFrames source is pointing back to the clients domain before reading a success value out of the title of it). （本质上，我们要等到iFrames源指向客户端域之前，再从其标题中读取成功值）。

Because we're running on JSONP, we can use the browsers HTTP cookies to detect if the user is logged in. 因为我们在JSONP上运行，所以我们可以使用浏览器的HTTP cookie来检测用户是否已登录。

However, we're in the process of transitioning our system to run realtime and over web sockets. 但是，我们正在将系统转换为实时运行并通过Web套接字运行。 We will still have the same method for authentication but we won't necessarily be making other calls using JSONP. 我们仍将使用相同的身份验证方法，但不一定要使用JSONP进行其他调用。 Instead those calls will occur over websockets (using the library Faye) 相反，这些调用将通过websocket发生（使用Faye库）

How can I secure this? 我该如何确保？ The potential security holes is if someone copies the JavaScript off an existing site, alters it, then gets people to visit their site instead. 潜在的安全漏洞是，如果有人从现有站点复制JavaScript，对其进行了更改，然后却使人们访问了他们的站点。 I think this defeats my original idea of sending back a secure token on login as the malicious JavaScript would be able to read it then use it perform authenticated actions. 我认为这违背了我最初在登录时发送回安全令牌的想法，因为恶意JavaScript能够读取它，然后使用它执行经过身份验证的操作。

Am I better off keeping my secure actions running over regular JSONP and my updates over WebSockets? 我是否最好让我的安全操作在常规JSONP上运行并在WebSockets上进行更新？

2 个解决方案

Websocket connections receive cookies only during the opening handshake. Websocket连接仅在打开握手期间接收cookie。 The only site that can access your websocket connection is the one that opened it, so if you're opening your connection after authentication then I presume your security will be comparable to your current JSONP implementation. 可以访问您的websocket连接的唯一站点是打开它的站点，因此，如果您在身份验证后打开连接，那么我想您的安全性将与当前JSONP实现相当。

That is not to say that your JSONP implementation is secure. 这并不是说您的JSONP实现是安全的。 I don't know that it isn't, but are you checking the referrers for your JSONP requests to ensure they're really coming from the same 3rd-party site that logged in? 我不知道不是，但是您是否正在检查引荐来源中的JSONP请求，以确保它们确实来自登录的同一第三方网站？ If not, you already have a security issue from other sites embedding your javascript. 如果不是这样，则说明嵌入JavaScript的其他网站已经存在安全问题。

In any case, the 3rd-party having an XSS vulnerability would also be a very big problem , but presumably you know that already. 无论如何，具有XSS漏洞的第三方也将是一个很大的问题，但想必您已经知道了。

Whether you are sent cookies during opening WebSocket handshake by browser (and if so, what cookies) is not specified by the WS spec. WS规范未指定在浏览器打开WebSocket握手期间是否向您发送cookie（如果是，则返回什么cookie）。 It's left up to browser vendors. 它留给浏览器供应商。

A WS connection can be opened to any site, not only the site originally serving the JS doing the connection. WS连接可以打开到任何站点，不仅是最初为JS提供连接的站点。 However, browsers MUST set the "Origin" HTTP header in the WS opening handshake to the one originally serving the JS. 但是，浏览器必须将WS开放握手中的“ Origin” HTTP标头设置为最初为JS服务的HTTP标头。 The server is then free to accept or deny the connection. 然后，服务器可以自由接受或拒绝连接。

You could ie generate a random string in JS, store that client side, and let that plus the client IP take part in computing an auth token for WS .. 您可以在JS中生成一个随机字符串，存储该客户端，然后让该客户端IP参与计算WS的身份验证令牌。