javascript 如何克服这个安全问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6290149/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to overcome this security issue
提问by Alex R.
I have implemented an ajax-polling script that calls an action in the server Controller every 10 seconds. With the response, I replace the content of a div:
我已经实现了一个 ajax 轮询脚本,它每 10 秒在服务器控制器中调用一个操作。在响应中,我替换了 a 的内容div:
function getFoo() {
var link = '/Secure/GetFoo';
$.post(link, function (response) {
$('#FooSection').replaceWith(response);
});
setTimeout("getFoo();", 10000);
}
This is done through https. After some time of being "idle", IE displays the following message:
这是通过https完成的。在“空闲”一段时间后,IE 显示以下消息:
This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?
此页面正在访问不受其控制的信息。这会带来安全风险。你要继续吗?
If the user clicks Yes, the page is redirected to the divdisplaying the response only. If the user clicks No, nothing happens, but the divcontainer will not be refreshed.
如果用户单击Yes,页面将重定向到div仅显示响应。如果用户单击No,则不会发生任何事情,但div不会刷新容器。
I know I can suppress this message through browser settings, but that will just bring me to a default Yesselection as per the above dialog.
我知道我可以通过浏览器设置抑制此消息,但这只会使我按照上述对话框进入默认的Yes选择。
A similar issue has been asked before, but unfortunately there hasn't been any solution. I basically want to make my ajax-polling work even on a secureconnection. Any ideas?
之前也有人问过类似的问题,但不幸的是没有任何解决方案。我基本上想让我的 ajax 轮询即使在安全连接上也能工作。有任何想法吗?
采纳答案by EricLaw
You should never see that dialog on an Internet-Zone page. By default, this operation is silently and automatically blocked in the Internet Zone.
您永远不应该在 Internet-Zone 页面上看到该对话框。默认情况下,此操作在 Internet 区域中以静默方式自动阻止。
There are two root causes for that dialog to appear in the Intranet zone:
该对话框出现在 Intranet 区域中有两个根本原因:
1> Attempting to do a cross-origin request using the XMLHTTPRequest object (http://blogs.msdn.com/b/ieinternals/archive/2011/04/22/ie-security-prompt-page-accessing-cross-domain-information-not-under-its-control.aspx)
1> 尝试使用 XMLHTTPRequest 对象进行跨域请求 (http://blogs.msdn.com/b/ieinternals/archive/2011/04/22/ie-security-prompt-page-accessing-cross-domain -信息不在其控制之下.aspx)
2> Attempting to navigate an OBJECT Tag hosting HTML to a cross origin page.
2> 尝试将托管 HTML 的 OBJECT 标签导航到跨源页面。
You can avoid case #1 by using XDomainRequest instead of XMLHTTPRequest. You can avoid case #2 by using an IFRAME instead of an OBJECT tag.
您可以通过使用 XDomainRequest 而不是 XMLHTTPRequest 来避免情况 #1。您可以通过使用 IFRAME 而不是 OBJECT 标签来避免情况 #2。
回答by Mick Hansen
I ran into a similar problem the other day, being unable to find out why IE would complain after an AJAX request.
前几天我遇到了类似的问题,无法找出 IE 在 AJAX 请求后会抱怨的原因。
I used Firebug's net console and just went through the requests one by one till i found one that was http:// instead of https://, i suggest you do the same - It'll be allmost impossible for us to debug this without seeing the page, but it could be something as little as a background image not being loaded via https.
我使用了 Firebug 的网络控制台,并一一浏览了请求,直到我发现一个是 http:// 而不是 https://,我建议您也这样做 - 我们几乎不可能在没有的情况下调试它看到页面,但它可能是没有通过 https 加载的背景图像。
Note:I did notice you saying it was IE, but a problem like this would probably not be browser-specific, Firefox/Chrome just doesn't make the same fuss about there being non https elements as IE does.
注意:我确实注意到你说它是 IE,但像这样的问题可能不是特定于浏览器的,Firefox/Chrome 不会像 IE 那样对非 https 元素大惊小怪。
回答by KooiInc
回答by Nicolas
There's two things about your code :
你的代码有两件事:
Why do you use a POST ajax request ? why not GET ? Your request looks like a GET request (you want to get some data), so the GET method is probably a better choice.
为什么要使用 POST ajax 请求?为什么不 GET ?您的请求看起来像 GET 请求(您想要获取一些数据),因此 GET 方法可能是更好的选择。
It's not linked to your problem, but you should not use setTimeout with a string to eval. You should give setTimeout a variable as the first argument, and this variable should be the function you want to execute.
它与您的问题无关,但您不应将 setTimeout 与字符串一起使用来进行评估。你应该给 setTimeout 一个变量作为第一个参数,这个变量应该是你要执行的函数。
function getFoo() {
var link = '/Secure/GetFoo';
$.get(link, function (response) {
$('#FooSection').replaceWith(response);
});
window.setTimeout(getFoo, 10000);
}
回答by Pantelis
If there is even one element whose src attribute begins with "http" instead of "https" in your code, IE will show that message.
如果您的代码中甚至有一个元素的 src 属性以“http”而不是“https”开头,IE 就会显示该消息。
Are you sure that the data you 're fetching has no elements that have src="http:// ... " in their src attribute?
您确定要获取的数据的 src 属性中没有包含 src="http:// ... " 的元素吗?
回答by Martin Jespersen
I've seen this happen before because the new content being inserted via the ajax call had links to none secure image assets, any chance this is the problem you are seeing?
我以前见过这种情况,因为通过 ajax 调用插入的新内容具有指向非安全图像资产的链接,这可能是您看到的问题吗?
回答by sandeep
Did you try using absolute url?
您是否尝试使用绝对网址?
var link = 'https://www.yourdomain.com/Secure/GetFoo';
var link = 'https://www.yourdomain.com/Secure/GetFoo';
