PushState 如何防止潜在的内容伪造?

发布于 2024-11-10 14:38:49 字数 1279 浏览 6 评论 0原文

正如 GitHub 博客 所示,他们已经实现了 HTML5 的 JavaScript pushState 树浏览功能(适用于现代浏览器),带来AJAX 导航没有 Hash Bangs

代码很简单:

$('#slider a').click(function() {
  history.pushState({ path: this.path }, '', this.href)
  $.get(this.href, function(data) {
    $('#slider').slideTo(data)
  })
  return false
})

这非常优雅地允许他们:

  1. 通过 AJAX 请求新内容而不是整个页面
  2. 对过渡进行动画处理
  3. 并且 更改浏览器 URL (不仅仅是 #,正如 Twitter 所做的那样 — twitter.com/stackexchangetwitter.com/#!/stackexchange )

我的问题是,JavaScript 如何防止一个网站使用 pushState 来模仿另一个网站,导致令人信服的网络钓鱼攻击

至少,域名似乎无法更改,但是站点内的多个路径(可能由多个不相关且不信任的内容提供商)又如何呢?一条路径 (IE /joe) 是否可以本质上模仿另一条路径 (pushState /jane) 并提供模仿内容,可能具有恶意目的?

As seen in GitHub's blog, they've implemented HTML5's JavaScript pushState feature for tree browsing (for modern browsers), bringing AJAX navigation without Hash Bangs.

The code is simple:

$('#slider a').click(function() {
  history.pushState({ path: this.path }, '', this.href)
  $.get(this.href, function(data) {
    $('#slider').slideTo(data)
  })
  return false
})

This quite elegantly allows them to:

  1. Request the just the new content through AJAX instead of a full page
  2. Animate the transition
  3. And change the browsers URL (not just the #, as Twitter does — twitter.com/stackexchangetwitter.com/#!/stackexchange )

My question is, how does JavaScript prevent against the use of pushState by one website to imitate another, resulting in a convincing phishing attack?

At the very least it seems that the domain can't be changed, but what about multiple paths within a site, potentially by multiple unrelated and untrusting content providers? Could one path (I.E. /joe) essentially imitate another (pushState /jane) and provide imitative content, with possibly malicious purposes?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧人 2024-11-17 14:38:49

我的理解是,这与管理 XMLHttpRequest同源策略 完全一致code>、设置 cookies 以及各种其他浏览器功能。假设是,如果它位于相同的域+协议+端口上,那么它就是可信资源。通常,作为 Web 开发人员,这就是您想要(和需要)的,以便您的 AJAX 脚本能够正常工作,并且您的 cookie 在整个站点上都可读。如果您正在运行一个用户可以发布内容的网站,那么确保他们无法对彼此的访问者进行网络钓鱼或键盘记录是您的工作,而不是浏览器的工作。

这里有更多有关 FireFox 人员对 pushState 的看法的详细信息 - 这对他们来说似乎不是问题。这里还有另一个关于可能的 pushState 安全漏洞的讨论,但这是一个不同的问题,即能够在其他人的 URL 末尾隐藏恶意查询字符串。

My understanding is that this is perfectly consistent with the Same Origin Policy that governs XMLHttpRequest, setting cookies, and various other browser functions. The assumption is that if it's on the same domain + protocol + port, it's a trusted resource. Usually, as a web developer, that's what you want (and need) in order for your AJAX scripts to work and your cookies to be readable throughout your site. If you are running a site where users can post content, it's your job, not the browser's, to make sure they can't phish or keylog each other's visitors.

Here's some more detail on what the FireFox folks are thinking about pushState - it doesn't seem like this is an issue for them. There's another discussion of a possible pushState security hole here, but it's a different concern, about being able to hide a malicious querystring on the end of someone else's URL.

樱娆 2024-11-17 14:38:49

正如 nrabinowitz 所说,用更通俗的话来说:它仅限于同一个域,就像 ajax 调用和 cookie 一样。所以它是完全安全的——尽管对最终用户来说有点偷偷摸摸。

我们(开发人员)一直在使用哈希标签这样做,但它更好,因为:

  1. 它看起来更干净。
  2. 在重新访问深层链接时,您实际上可以显示真实的 html 数据来支持 SEO 和 Facebook Open Graph 等内容(两者都会发送蜘蛛来扫描您页面的 html)。
  3. 服务器无法访问哈希标签数据,因此您在服务器日志中看不到它,因此它可以帮助某些人进行分析。
  4. 它有助于解决哈希标签问题。例如,我重写了 Nginx,将访问我的应用程序的用户重定向到相同的 https url。它适用于所有浏览器,但 Safari 会将您重定向到没有哈希值的域(太烦人了!)

As nrabinowitz has stated and in more layman's terms: it's limited to the same domain, just like ajax calls and cookies. So it's completely safe—though a little sneaky to the end user.

Us (developers) have been doing this forever with hash tags forever but it's better because:

  1. It looks cleaner.
  2. On revisit of a deep link you can actually surface real html data to support things like SEO and Facebook Open Graph (both send spiders to scape the html of your page).
  3. Servers don't have access to hash tags data so you don't see it in your server logs so it helps some with analytics.
  4. It helps fix hash tag issues. For example I had an Nginx rewrite to redirect users visiting my app to the same https url. It works in all browsers but Safari which will redirect you to just the domain without the hash (so annoying!)
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文