调用外部 JS 和 CSS 到我的网站 - 有什么风险
我有一个值得信赖的合作伙伴,我想让他调用我的 Iframe 并添加 JS/css 文件路径作为参数,我将这样调用它:
<script type="text/javascript" src="@(HttpUtility.UrlDecode(HttpContext.Current.Request.Params["CustomJs"]))" ></script>
<link type="text/css" media="screen" href="@(HttpUtility.UrlDecode(HttpContext.Current.Request.Params["CustomCss"]))" rel="stylesheet" />
这是为了允许他挂钩设计并注册一些 JS 挂钩。 合作伙伴是值得信赖的,并且会签署一份文件,表明 JS/css 的使用仅限于我们这边调用的允许功能。
问题是,我是否让我的客户面临任何形式的危险情况(假设合作伙伴都没事)。
一切都在 ssl 下
有什么安全风险。
谢谢
I have trustable partner that I want to allow him to call my Iframe and add a JS/css file path as a parameter and I will call it like that:
<script type="text/javascript" src="@(HttpUtility.UrlDecode(HttpContext.Current.Request.Params["CustomJs"]))" ></script>
<link type="text/css" media="screen" href="@(HttpUtility.UrlDecode(HttpContext.Current.Request.Params["CustomCss"]))" rel="stylesheet" />
This is in order to allow him to hook the design and to register some JS hooks.
The partner is trustable and will sign on a document that the use of the JS/css is only for allowed functions that will be called from our side.
The question is, Am I exposing my clients to a dangerous situation from any kind (assuming that the partners are OK).
it is all under ssl
What is the security risk.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
风险在于,如果您合作伙伴的安全受到损害,您的系统也将变得不安全。假设,如果攻击者以某种方式将恶意代码添加到您合作伙伴的脚本中,该代码可能会传递到您的系统。这与跨站点脚本攻击高度相关 http://en.wikipedia.org/wiki/跨站点脚本。
为了规避这种风险,我建议为这些 JS/CSS 文件实施一个经过审核的代理。例如,ASP.NET 处理程序 (.ashx) 会调用合作伙伴的站点来获取原始脚本并将它们存储在内部某个位置(可能在数据库中),而相关框架则通过使用处理程序获取脚本和 CSS。类似于:
如果合作伙伴更改脚本,处理程序将通知站点所有者,甚至可能允许对任何外部文件进行预先审核。
The risk is that if the security of your partner is compromised, your system will become insecure as well. Hypothetically, if an attacker somehow adds malicious code to the scripts of your partner, the code may pass on to your system. This is highly related to the cross-site scripting attacks http://en.wikipedia.org/wiki/Cross-site_scripting .
In order to circumvent this risk, I would recommend implementing a moderated proxy for these JS/CSS files. For example, an ASP.NET Handler (.ashx) that would call the partner's site for original scripts and store them somewhere internally (perhaps in a database), whereas the frame in question takes the scripts and CSS through the usage of handler. Something like:
The handler would notify the site's owner if partner changes scripts, and may even allow pre-moderation of any external files.
由于 CSS 和 JavaScript 嵌入到框架中的文档中,而不是直接嵌入到您的文档中,因此 CSS 仅应用于框架的文档。
框架的 JavaScript 是否可以访问文档的 DOM 有点复杂。因为这里应用了同源策略。但是,除非您和您的合作伙伴具有相同的来源,否则您合作伙伴的 JavaScript 无法访问您文档的 DOM 并从中读取数据或更改它。
Since the CSS and JavaScript are embedded into the document in a frame and not directly into your document, the CSS is only applied to the frame’s document.
Whether the frame’s JavaScript can access your document’s DOM is a little more complicated. Because here the Same Origin Policy is applied. But unless you and your partner share the same origin, your partner’s JavaScript can’t access you document’s DOM and read data from it or change it.