堆栈内存溢出
  简体   繁体   English

XSS-将数据发送到脚本的源服务器?

[英]XSS - Send data to the source server of a script?

 原文  2012-10-11 01:42:53       javascript/ jquery/ security/ xss

问题描述

I am writing a JavaScript application where I plan on host the code on a CDN. 我正在编写一个JavaScript应用程序,打算在其中将代码托管在CDN上。 Now I plan to include this code to my clients' sites. 现在,我计划将此代码包含在客户的站点中。 However, I have a problem, I want to use AJAX to communicate between the client and the server. 但是,我有一个问题,我想使用AJAX在客户端和服务器之间进行通信。 Now, from my understanding of XSS, this is not possible. 现在,根据我对XSS的了解,这是不可能的。

Ex: 例如:

  1. User visits site.com, where a script tag's source is pointing to a file on cdn.somedomain.com 用户访问site.com,脚本标记的来源指向cdn.somedomain.com上的文件
  2. The script on cdn.somedomain.com fires an event. cdn.somedomain.com上的脚本会触发一个事件。
  3. This event will communicate with a PHP. 该事件将与PHP通信。 I know it is possible for the script from cdn.somedomain.com to request documents on site.com. 我知道cdn.somedomain.com中的脚本可以在site.com上请求文档。 However, is it possible to send data back to a PHP file on cdn.somedomain.com? 但是,是否可以将数据发送回cdn.somedomain.com上的PHP文件?

Thanks for helping an entrepenuer! 感谢您帮助企业家! :D :D

2 个解决方案

解决方案1
 1  2012-10-11 07:02:57

The short is I think this is possible, but it depends on a couple of things. 简而言之,我认为这是可能的,但这取决于两点。 The same origin policy is a weird thing in that it won't allow cross domain reads, but will allow cross domain writes. 相同的原始策略很奇怪,因为它不允许跨域读取,但允许跨域写入。

I think a way you could accomplish your goal is by making a GET request (minimally by creating an iframe, img, or whatever else that pulls a src) or possibly even using AJAX. 我认为您可以实现目标的一种方式是发出GET请求(至少通过创建iframe,img或其他任何可提取src的方式),甚至可能使用AJAX。 If your goal is to only send data, then that should be fine. 如果您的目标是仅发送数据,那应该没问题。 However, if you want to read this data back then I think that'll be a little less straight forward. 但是,如果您想回读此数据,那么我认为这会少一些直截了当。 I can't really answer that right now - especially without knowing more details about your system setup. 我现在无法真正回答这个问题-特别是在不了解有关系统设置的更多详细信息的情况下。

解决方案2
 0  2012-10-12 05:26:47

Sounds like a weird use of a cdn. 听起来像是对CDN的怪异用法。 Normally cdns serve static assets, so you wouldnt put a php file there. 通常,dns服务于静态资产,因此您不会在其中放置php文件。 In fact the cdn wouldnt normally run dynamic server side code at all. 实际上,cdn通常根本不会运行动态服务器端代码。 You can address the problem in several ways. 您可以通过多种方式解决该问题。 Newer browsers support CORS and cross domain ajax. 较新的浏览器支持CORS和跨域Ajax。 The cdn would then have to use the Access-control-* headers. CDN然后必须使用Access-control- *标头。 You could also look at something like easyXDM, which works in older browsers. 您还可以看一下easyXDM之类的东西,它可以在较旧的浏览器中运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么这个 xss 脚本不调用我的服务器? - Why does this xss script not call my server? 外部脚本将数据发送回服务器 - External script send data back to server 将加密的数据发送到服务器时,Javascript中的XSS - XSS in Javascript when sending encrypted data to server 将数据从服务器脚本发送到客户端脚本(而不是相反) - Send data from Server script to Client script (and not the other way around) 使用Java脚本将表单数据发送到服务器并将其存储在服务器中 - Send Form data to server and store it in the server using Java script 如何将数据从vert.x服务器发送到js脚本? - How to send data from a vert.x server to a js script? XSS 与<script> followed by <br/> - XSS with <script> followed by <br/> 具有“脚本”删除功能的XSS - XSS with “script” removal 将数据从脚本发送到脚本 - send data from script to script XSS 源码 &amp; lt &amp; gt 是否正确? - XSS source & lt & gt is it correct?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM