100% SSL 或选择性 SSL、JSONP ...并且没有错误?
我想邀请您经过深思熟虑的意见来帮助我在 Ajax 应用程序的以下两个来源策略之间做出决定:
- 从 HTTPS://www.mydomain.com 加载我的所有资产 Plus: Ajax is easy. No problems with Same Origin Policy.
- 通过 HTTP://www.mydomain.com 加载大部分糟粕,仅在敏感数据交换时使用 HTTPS://www.mydomain.com。 Plus: Faster user experience as browser and, more importantly, my server do less cryptography. Plus: Ajax still easy via JSONP work-around to SOP (*).
Plus: PUT method offers large payloads.
Plus: Network error messages can be fed back to the user.
Minus: Server needs to sweat more to encrypt all that dross that makes up a web site. Browser needs to sweat more decrypting it all. Overall slower user experience.
Minus: GET method on JSONP limits payload to 2K - may become an issue.
BIG Minus: Cannot find any way to grab status response from header following network errors (of whatever kind). User information cannot extend beyond "My bad".
有什么想法吗?
(*) 顺便说一句,如果有人能给我一个由同一域上的协议切换带来的安全漏洞的示例,我将非常感激。我知道这些是不同的服务器,但那又怎样呢?它们在我的域内。我控制他们。我不明白这种担忧。
I would like to invite your considered opinion to help me decide between the following two origin policies for my Ajax app:
- Load all my assets from HTTPS: //www.mydomain.com
- Load most of the dross via HTTP: //www.mydomain.com and use HTTPS: //www.mydomain.com only for sensitive data exchanges.
Plus: Ajax is easy. No problems with Same Origin Policy.
Plus: PUT method offers large payloads.
Plus: Network error messages can be fed back to the user.
Minus: Server needs to sweat more to encrypt all that dross that makes up a web site. Browser needs to sweat more decrypting it all. Overall slower user experience.
Plus: Faster user experience as browser and, more importantly, my server do less cryptography.
Plus: Ajax still easy via JSONP work-around to SOP (*).
Minus: GET method on JSONP limits payload to 2K - may become an issue.
BIG Minus: Cannot find any way to grab status response from header following network errors (of whatever kind). User information cannot extend beyond "My bad".
Any thoughts?
(*) BTW, I would really appreciate if someone could give me an example of a security vulnerability brought on by a switch of protocol on the same domain. I understand that these are different servers, but so what? They are on my domain. I control them. I do not understand the concern.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用 SSL。您是否对 SSL 的性能损失进行了基准测试?一般来说,现代计算机速度很快,SSL 加密/解密开销可以忽略不计。有关该主题的一些讨论,请参阅 SSL 会产生多少开销?。
在我的书中,不必使用 JSONP、能够使用 HTTP PUT 以及您概述的所有其他好处都比几个 cpu 周期更有价值。
Use SSL. Did you benchmark the performance loss for SSL? In general, modern computers are fast and SSL encryption/ decryption overhead is negligible. See How much overhead does SSL impose? for some discussion on the subject.
Not having to use JSONP, being able to use HTTP PUT, and all the other benefits you outlined are worth more than a few cpu cycles in my book.
关于该漏洞,我已将示例放在 另一个答案:
关于使用 SSL/TLS 的开销,Google 工程师撰写的这篇文章 应该引起人们的兴趣,更具体地说:
Regarding the vulnerability, I've put examples in another answer:
Regarding the overhead of using SSL/TLS, this article by Google engineers should be of interest, more specifically: