支付网关和 XSS

发布于 2024-09-02 02:32:55 字数 415 浏览 7 评论 0原文

我正在开发一个从客户那里付款的网站。我正在使用 Kohana 2.3.4,并创建了一个库来处理我使用的支付网关 (www.eway.com.au)。基本上我只是使用他们的示例代码,复制到它自己的类中。

无论如何,代码工作正常,我可以进行付款等。我遇到的问题是支付网关将用户返回到我的网站时。支付网关使用 HTTPS,因此很安全,并且会将用户发送回我网站上的 HTTPS 页面。

然而,我在 Firefox 中安装了 NoScript 插件,当我返回网站页面(该页面还处理存储交易数据)时,我收到一条错误消息,指出 NoScript 已阻止潜在的 XSS 攻击。

现在我明白为什么它不安全(POST 数据跨两个不同的域发送),但我应该做什么?显然,在我的测试过程中,我暂时禁用了 NoScript,一切正常,但我不能依赖最终用户。

这里的最佳实践是什么?

I'm working on a website which takes payment from a customer. I'm using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I'm just using their sample code, copied into it's own class.

Anyway, the code works fine and I can make payments, etc. The issue I have is when the payment gateway is returning the user to my site. The payment gateway uses HTTPS so that is secure, and it is sending the user back to a HTTPS page on my site.

However I have the NoScript plugin installed in Firefox, and when I get sent back to the page on my website (which also handles storing the transaction data) I get an error message saying that NoScript has blocked a potential XSS attack.

Now I understand why it's unsecure (POST data being sent across two different domains) but what should I be doing instead? Obviously during my testing here I temporarily disable NoScript and it all works fine, but I can't rely on that for the end users.

What's the best practice here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

一个人的夜不怕黑 2024-09-09 02:32:55

这是大多数支付网关的运作方式。如果您的网关没有为您提供另一种处理传输数据的方法,那么您就只能采用这种方法。

另一方面:不要太担心。根据您的受众,大多数用户不会安装 NoScript。那些这样做的人希望知道在这种情况下该怎么做。

This is the way most payment gateways operate. If your gateway does not provide you with another way of handling transmitted data, then you're stuck with it.

On the other hand: Don't worry too much. Depending on your audience, most users won't have NoScript installed. And those that do, will hopefully know what to do in such a situation.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文