当前位置: 文江博客话题详情

通过 https 发送数据的 JQuery 模式对话框表单

发布于 2024-10-07 17:10:51 字数 160 浏览 0 评论 0原文

我已经可以使用模式登录对话框了。问题是,如果原始页面是通过 http 加载的,我仍然想通过 https 将凭据传递到服务器。当然,我希望尽可能少地重写工作代码。

我无法在我的案例中使用 JSONP,因为登录数据是通过 POST AJAX 请求传递到服务器的。

有什么想法吗?

原文

I have already working modal login dialog. The problem is that if the origin page is loaded via http I still want to pass credentials to server via https. And of course I want to do with as little rewriting of working code as it can be.

I cannot use JSONP for my case because login data is passed to server via POST AJAX request.

Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

夜吻♂芭芘 2024-10-14 17:10:51

同源策略使这成为不可能(至少在不支持跨域 XHR 的浏览器中,这已经足够了)。

(由于主机文档是通过 HTTP 提供的,因此很容易在网络上被拦截和更改,这将使数据容易受到攻击,即使它是通过 SSL 传输的)

The Same Origin Policy makes this impossible (at least in browsers which don't support cross domain XHR, which is enough).

(And since the host document is served over HTTP it is subject to interception and alteration on the wire, which would make the data vulnerable even if it was transported over SSL)

回复 原文
柳若烟 2024-10-14 17:10:51

只是出于好奇,为什么不首先强制用户访问安全页面呢?为什么不久前出现了类似的问题,所以现在,我们强制用户在访问我们的页面后立即使用 https(通过重定向)。

Just out of curiosity, why don't you force the user to a secure page to begin with? Why had a similar issue a while back, so now, we force the user to https (via redirect) as soon as they hit our page.

回复 原文
少女净妖师 2024-10-14 17:10:51

请注意,根据同源政策,这应该是不可能的,因为您'正在尝试将不安全的凭据发布到安全页面。如果登录登陆页面未使用 SSL,则攻击者可以在发送给用户时修改页面并更改表单提交位置或插入 JavaScript,从而在键入时窃取用户名/密码。所以登录登陆页面必须使用SSL。

为了说明这一点,下表概述了针对 URL“http:// 检查的典型结果www.example.com/dir/page.html”。

Compared URL                              Outcome   Reason
http://www.example.com/dir/page2.html     Success   Same protocol and host
http://www.example.com/dir2/other.html    Success   Same protocol and host
http://u:[email protected]/x/o.html    Success   Same protocol and host
http://www.example.com:81/dir/other.html  Failure   Same protocol and host but different port
https://www.example.com/dir/other.html    Failure   Different protocol
http://en.example.com/dir/other.html      Failure   Different host
http://example.com/dir/other.html         Failure   Different host (exact match required)
http://v2.www.example.com/dir/other.html  Failure   Different host (exact match required)
http://www.example.com:80/dir/other.html  Depends   Port explicit. Depends on implementation in browser.

与其他浏览器不同,Internet Explorer 不将端口包含在来源计算中,而是使用安全区域来代替。

如何放宽同源策略

在某些情况下,同源策略限制过多,这会给使用多个子域的大型网站带来问题。这里有四种放松的技巧:

如果您真的要这样做,这是可能的,但您需要确保您的 公钥您网站的证书已由认证机构验证,因此有效。

如果不是,您可以尝试将您的证书添加到网络浏览器的白名单中。或者尝试使用不同的网络浏览器。

或者,您可以确保用户在看到登录表单时始终位于安全页面上,或者禁用登录表单的模式表单。

其他解决方法包括通过将非安全流量转发到 ssl 来添加重写规则,例如

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
  # Force <front> to ssl for modal use of secure log in module.
  RewriteRule http://www.example.net/^$ https://www.example.net [R=301,L]

另请参阅:

Please note that according to Same-origin policy it should be not possible, as you're trying to post non-secured credentials to secured page. And if login landing page is not using SSL, then an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the username/password as it is typed. So login landing page must use SSL.

To illustrate, the following table gives an overview of typical outcomes for checks against the URL "http://www.example.com/dir/page.html".

Compared URL                              Outcome   Reason
http://www.example.com/dir/page2.html     Success   Same protocol and host
http://www.example.com/dir2/other.html    Success   Same protocol and host
http://u:[email protected]/x/o.html    Success   Same protocol and host
http://www.example.com:81/dir/other.html  Failure   Same protocol and host but different port
https://www.example.com/dir/other.html    Failure   Different protocol
http://en.example.com/dir/other.html      Failure   Different host
http://example.com/dir/other.html         Failure   Different host (exact match required)
http://v2.www.example.com/dir/other.html  Failure   Different host (exact match required)
http://www.example.com:80/dir/other.html  Depends   Port explicit. Depends on implementation in browser.

Unlike other browsers, Internet Explorer does not include the port in the calculation of the origin, using the Security Zone in its place.

How to relax the same-origin policy

In some circumstances the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains. Here are four techniques for relaxing it:

If you really what to do that, it is possible, but you need to make sure that your public key certificate of your website has been verified by certification authority therefore it is valid.

If it is not, you may try to add your certificate to the white list in your web browser. Or try with different web browsers.

Alternatevely you can make sure that users are always on a secure pages when being presented with the login form or disable modal form for login forms.

Other workaround include adding rewrite rule by forwarding the non-secured traffic into ssl, e.g.

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
  # Force <front> to ssl for modal use of secure log in module.
  RewriteRule http://www.example.net/^$ https://www.example.net [R=301,L]

See also:

回复 原文
~没有更多了~

关于作者

忆沫

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

qq_FjTq5B

文章 0 评论 0

18273202778

文章 0 评论 0

WordPress小学生

文章 0 评论 0

〃温暖了心ぐ

文章 0 评论 0

迷乱花海

文章 0 评论 0

niuniu

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文