如何发出不可伪造的跨域请求

发布于 2024-11-01 09:28:41 字数 882 浏览 3 评论 0原文

我需要从 Site B 获取一些数据到 Site A 的服务器端。为了向站点 B 发出请求以检索数据,需要存在与站点 B 的域关联的 Cookie。我想我因此需要使用 JSONP 在 javascript 中执行此操作?

我的想法是使用 JavaScript 向 B 发出请求,然后捕获结果并将其粘贴到 A 域上的 cookie,以便后续向 A< /code> 将携带带有返回数据的 cookie(向 A 发送两次请求才能将信息发送到 A 的服务器端并不重要)。这会工作得很好,除了它完全可以破解。

数据本身并不秘密,但我需要防止请求伪造或 Site A 上的人员手动调用 JSONP 回调函数,或通过窃取或其他方式手动设置 A cookie伪造的数据。另外,还有其他的黑客漏洞吗?这也是需要预防的!

我能想到的唯一方法是:

Site A 生成一个随机令牌并将其存储在会话中。然后,它将此令牌附加到对 Site B 的 JSONP 请求的查询字符串中。然后,站点 B 做出响应,但使用数字签名对常用数据以及令牌进行加密。然后,站点 A 将此值粘贴到 A 上的 cookie 中。在下一个对A的请求中,A的服务器端可以捕获cookie,获取值,解密它,检查令牌并是否与会话中的值匹配,相信其余的数据。

这听起来合理吗?有更简单的方法吗?我的目标是降低 A 端的复杂性。

谢谢

I need to get some data from Site B into Site A's server side. In order to make the request to Site B to retrieve the data, there are cookies associated with Site B's domain which need to be present. I assume I therefore need to do this in javascript with JSONP?

My ideas was to use JavaScript to make the request to B and then capture the result and stick it a cookie on As domain such that subsequent requests to A would carry the cookie with the returned data (it doesnt matter that it takes two requests to A to get the information to A's serverside). This would work fine, except its completely hackable.

The data itself isn't secret but I need to prevent request forgery or people on Site A calling the JSONP callback function manually, or setting the A cookie manually with stolen or otherwise faked data. Also, is there any other loophole for hacking? This would also need preventing!

The only way I can think of doing this is:

Site A generates a random token and stores it in the session. It then appends this token to the querystring of the JSONP request to Site B. Site B then responds but encrypts the usual data along with the token using digital signing. Site A then sticks this value in a cookie on A. In the next request to A, As server side can capture the cookie, get the value, decrypt it, check the token and if it matches the value in the session, trust the rest of the data.

Does this sound sensible? Is there an easier way? My goal is to reduce the complexity at As end.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

浅语花开 2024-11-08 09:28:42

避免被黑客攻击的方法是让站点直接相互通信,而不是使用客户端 JavaScript。编写一个小型轻量级 REST API,允许数据在后台、服务器到服务器之间传输。

链接到站点 A 时,请在 URL 中包含身份验证令牌,然后可以使用对站点 B 的幕后调用来检查该令牌。此调用可以传输任何其他所需信息。令牌可能应该是 IP 绑定的,并在使用后过期。成功后,您可以在站点 A 中设置您的 cookie 信息,以避免进一步的往返。

The way to avoid it being hackable is to have the sites communicate with each other directly, rather than using client-side JavaScript. Write a small light-weight REST API which allows the data to be transferred behind the scenes, server to server.

When linking to Site A, include an authentication token in the URL which can then be checked using the behind-the-scenes call to Site B. This call can transfer any additional required information. The token should probably be IP-bound, and expire after use. Upon success, you can set up your cookie information in Site A, to avoid the need for further round trips.

美人骨 2024-11-08 09:28:42

您可以使用 easyXDM 在域之间进行通信。有了它,您就有了两个 javascript 程序,一个在消费者域上,另一个在提供者域上,它们可以断言消费者的域。这两个程序都可以与用户交互,并且用户可以向双方验证自己的身份。由于提供商程序知道用户是谁,并且知道消费者是谁,因此提供商可以将其想要的任何数据传递给消费者。

Twitter、Disqus 和 LinkedIn 等大公司的 API 就是采用这种方式。

You could use easyXDM to communicate between the domains. With it you have two javascript Programs, one on the consumers domain, and one on the providers, which can assert the domain of the consumer. Both these Programs can interact with the user, and the user can authenticate itself to both parties. With the providers Program knowing who the user is, and knowing who the consumer is, the provider can pass whatever data it wants to the consumer.

This is what big companies like Twitter, Disqus and LinkedIn use for their API's.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文