同源政策解决方案


                    

我看到跨域Ajax调用带来的安全风险,

但我认为真正的问题是浏览器的Cookie

自动发送到目标跨域。 </ p>

那么,为什么在跨域的情况下浏览器不能不发送cookie?
js请求而不是完全阻止该请求?</ p>

我希望我的问题有意义。</ p>

编辑:</ p>

来自: https://en.wikipedia.org/wiki/Same-origin_policy </ p>


  

这是事实,但JavaScript无法直接访问银行
   会话Cookie,但它仍可以发送和接收请求到
   具有银行站点会话cookie的银行站点,本质上
   充当银行站点的普通用户。 关于发送
   新交易,甚至银行网站对CSRF的保护都没有
   效果,因为脚本可以简单地执行与用户相同的操作</ p>
</ blockquote>

因此,假设我已经登录了Facebook,同时访问了一个使用跨站请求向Facebook窃取有关我的信息的恶意网站,
我的意思是,这样做的唯一原因是浏览器的请求中包含合法的cookie,对吗?</ p>
     </ div>

展开原文

原文

I see the security risks with cross domain ajax calls,
but I think the real problem are the cookies that the browsers
automatically send to the target cross domain.

So why can't browser just not send cookies in the case of cross domain js request instead of blocking that request altogether ?

I hope my question makes sense.

EDIT:

from: https://en.wikipedia.org/wiki/Same-origin_policy

While this is true, the JavaScript has no direct access to the banking session cookie, but it could still send and receive requests to the banking site with the banking site's session cookie, essentially acting as a normal user of the banking site. Regarding the sending of new transactions, even CSRF protections by the banking site have no effect, because the script can simply do the same as the user would do

So Suppose I'm logged on facebook and meanwhile visiting a mslicious site that use cross site requests to facebook to steal information about me, I mean the only reason it could do it is because a legitimate cookie is included in the requests by the browser, am I wrong ?

1个回答


您的想法很混乱。</ p>

cookie只是存储在客户端的缓存信息。 简而言之,就是由浏览器管理的数据以及特定浏览器的工作方式。 例如IE将Cookie存储在单独的文本文件中,Firefox使用单个文件,而Crome使用SQLite3数据库。</ p>

我建议您阅读:为什么是同一原产地政策 重要吗? </ p>

您可以发送跨域Get请求,有几种方法。 我使用了添加所需标头或仅Jsonp的代理。 例如,在.net中,后者要求您添加一个获取json回调函数的json格式化程序。</ p>

如果您与网页进行双向通讯,则无需任何操作。 您可以在服务器端管理状态,并根据需要执行服务器端“推送”请求。 在html5之前,您需要执行以下操作的组件:java applet,flash,silverlight或...。</ p>

我希望我的回答对您有意义。</ p>
     </ div>

展开原文

原文

You have a confusion of ideas.

A cookie is simply a cached information that is stored on the client side. Simply put it is data that is managed by the browser and how particular browser does it is their doing. For example IE stores cookies in separate text files, Firefox uses a single file and Crome uses SQLite3 database.

I recommend you read: Why is the same origin policy important?

You can send cross domain Get requests and there are several ways. I have used a proxy that adds the required headers or just Jsonp. For example in .net latter requires you to add a json formatter that gets the json callback function.

If you have 2-way communication with the web page none of this is required. You can manage the state at server side and do server side "push" request at your will. Before html5, you needed components to do that ex: java applet, flash, silverlight or ....

I hope my answer makes sense to you.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐