使用跨域 XMLHttpRequest 有哪些安全风险?

在很多地方,我看到人们谈论过跨域 XMLHttpRequest,由于某些安全原因,这是不可能的.但是,我还没有找到说明这些安全原因究竟是什么的帖子?

In many places I've seen people have talked about the Cross-Domain XMLHttpRequest, which is not possible, due to some security reasons. However, I haven't found a post indicating what those security reasons actually are?

人们提到 JSONP 是很好的替代方案之一.另一种选择是使用 OriginAccess-Control-Allow-Origin 标头.

People have mentioned that JSONP is one of the good alternatives. Another alternative would be to use Origin and Access-Control-Allow-Origin headers.

但是,我只想知道跨域使用 XMLHttpRequest 会引发哪些安全问题?

However, I just want to know what security problems can be raised due to cross-domain XMLHttpRequest usage?

推荐答案

我认为最好回答你的问题,例如为什么它会非常糟糕.

I think it would be best to answer your question of an example of WHY it would be horrendously bad.

您访问我的网站 (example.org).我加载了一个向 facebook.com/messages/from/yourgirlfriend 发出客户端 AJAX 请求的脚本.你碰巧登录了 facebook,你的浏览器告诉 Facebook 我的请求实际上是你.Facebook 很高兴地向我提出了关于你想尝试的奇怪性行为的信息.我现在知道了一些你可能不想让我知道的关于你的事情.

You go to my website (example.org). I load a script that makes a client-side AJAX request to facebook.com/messages/from/yourgirlfriend. You happened to be logged in to facebook, and your browser tells Facebook that my request is actually you. Facebook happily gives my request that message about the strange sexual things you want to try. I now know things about you you probably didn't want me to know.

这当然是夸张了,幸好由于同源政策是不可能的.

This, of course is a wild exaggeration, and thankfully not possible thanks to the same origin policy.

你现在不觉得更安全了吗?

Don't you feel safer now?

相关文章