使用$ .support.cors = true是否安全;在jQuery?
[英]Is it safe to use $.support.cors = true; in jQuery?
I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.
我试图使用jQuery的ajax方法在不同的域上访问Web服务。在做了一些研究后,看起来它不允许这是设计用来防止跨站点脚本。
I came across a work around which was to include this line:
我遇到了一个包含这条线的工作:
$.support.cors = true;
at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.
在我的JavaScript代码的顶部。据我所知,这可以在jQuery中实现跨站点脚本。
Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?
这行代码是否会使我的网站更容易受到攻击?我一直听说XSS作为安全问题被讨论过,XSS有合法用途吗?
3 个解决方案
#1
35
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
XSS不是可以在jQuery中启用的功能。如果jQuery核心有XSS漏洞,那将是非常不寻常的,但它有可能并且它被称为基于DOM的XSS。
"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.
“跨域资源共享”或CORS与XSS,BUT不同,但如果Web应用程序存在XSS漏洞,则攻击者可以对该域上的所有资源进行类似CORS的访问。简而言之,CORS使您可以控制如何中断相同的原始策略,这样您就不需要引入完整的XSS漏洞。
The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.
$ .support.cors查询功能依赖于Access-Control-Allow-Origin HTTP响应头。这可能是一个漏洞。例如,如果Web应用程序在每个页面上都具有Access-Control-Allow-Origin:*,则攻击者将具有与XSS vulenrablity相同的访问级别。要小心你引入CORS标题的页面,并尽量避免使用*。
So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.
所以回答你的问题:Web应用程序从来不需要引入XSS漏洞,因为SOP有很多方法,比如CORS / jsonp /跨域代理/访问控制源。
#2
11
It can help only if you have CORS enabled in your browser but it isn't supported by jQuery yet:
只有在浏览器中启用了CORS但jQuery尚不支持它时,它才有用:
To enable cross-domain requests in environments that do not support cors yet but do allow cross-domain XHR requests (windows gadget, etc), set $.support.cors = true;. CORS WD
要在不支持cors但允许跨域XHR请求(Windows小工具等)的环境中启用跨域请求,请设置$ .support.cors = true;。 CORS WD
Just setting this property to true can't cause security vulnerability.
仅将此属性设置为true不会导致安全漏洞。
#3
3
When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.
当黑客能够注入脚本代码以将请求更改为另一个域时,他也能够在脚本中设置此javascript标志。
So wether this flag is set doesn't change much at this point of the intrusion.
因此,设置这个标志在入侵的这一点上变化不大。
智能推荐
注意!
本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:http://www.silva-art.net/blog/2011/10/21/9b81254505ba2c19d66ff827e58b72b3.html。
猜您在找
IE8/9“无传输”错误jQuery, $.support。歌珥= true;不工作 - IE8/9 'No Transport' Error jQuery, $.support.cors = true; not work
使用jQuery.support.cors = true的跨域脚本编写 - Cross-domain scripting using jQuery.support.cors = true
拥有$.support的影响是什么?歌珥= true;在非跨浏览器ajax调用中 - What is the impact of having $.support.cors = true; on Non-Cross browser ajax calls
Jquery Ajax命令是否使用CORS? - Does Jquery Ajax command use CORS?
使用SET ROWCOUNT是否安全? - Is it safe to use SET ROWCOUNT?
赞助商链接