Verifying Browserid Assertions in JavaScript with Web Cryptography API
Question
Web Cryptography API中提出的Web浏览器中对JavaScript运行时环境的添加是否允许我们使用JavaScript安全地验证浏览器中的browserid断言 ?
1 answers
solution1
2 ACCPTED 2012-10-10 03:26:32
You could already verify BrowserID assertions client-side in Javascript, but the problem is that you can't trust the client.
A user could for example run your code through a proxy server which alters the Javascript to always claim that assertions are valid. Unless you're doing server-side verification, your server code will be vulnerable to clients claiming that everything is fine when in fact the assertion is bogus.
No browser API will change the fact that as far as the server is concerned, you cannot rely on the client doing the right thing. The server needs to do that verification itself.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.