使用 $.support.cors = true 是否安全;在 jQuery 中?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7852225/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is it safe to use $.support.cors = true; in jQuery?
提问by Abe Miessler
I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.
我试图使用 jQuery 的 ajax 方法访问不同域上的 Web 服务。经过一些研究,它看起来不允许这是为了防止跨站点脚本而设计的。
I came across a work around which was to include this line:
我遇到了一项工作,其中包括这一行:
$.support.cors = true;
at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.
在我的 javascript 代码的顶部。据我了解,这可以在 jQuery 中启用跨站点脚本。
Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?
拥有这行代码是否会使我的网站更容易受到攻击?我一直听说 XSS 是一个安全问题,XSS 有合法用途吗?
采纳答案by rook
XSS is not a feature that can be enabled in jQuery. It would be very veryunusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
XSS 不是可以在 jQuery 中启用的功能。如果 jQuery 核心存在 XSS 漏洞,那将是非常非常不寻常的,但它是可能的,它被称为基于 DOM 的 XSS。
"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policysuch that you don't need to introduce a full on XSS vulnerability.
“跨源资源共享”或 CORS 与 XSS 不同,但是,如果 Web 应用程序存在 XSS 漏洞,那么攻击者将可以像 CORS 一样访问该域上的所有资源。简而言之,CORS 使您可以控制如何破坏同源策略,这样您就无需引入完整的 XSS 漏洞。
The $.support.corsquery feature relies upon the Access-Control-Allow-OriginHTTP response header. This could bea vulnerability. For example, if a web application had Access-Control-Allow-Origin: *on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid *as much as possible.
所述$.support.cors查询特征依赖于Access-Control-Allow-OriginHTTP响应报头中。这可能是一个漏洞。例如,如果 Web 应用程序Access-Control-Allow-Origin: *在每个页面上都有,那么攻击者将拥有与 XSS 漏洞相同的访问级别。请注意您引入 CORS 标头的页面,并尽量避免*。
So to answer your question: NOa web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.
所以回答你的问题: 没有一个 web 应用程序永远不需要引入 XSS 漏洞,因为有办法绕过 SOP,例如 CORS/jsonp/cross domain proxies/ access-control-origin。
回答by bjornd
It can help only if you have CORS enabled in your browser but it isn't supported by jQuery yet:
仅当您在浏览器中启用了 CORS 时它才有帮助,但 jQuery 尚不支持它:
To enable cross-domain requests in environments that do not support cors yet but do allow cross-domain XHR requests (windows gadget, etc), set $.support.cors = true;. CORS WD
要在尚不支持 cors 但允许跨域 XHR 请求(windows gadget 等)的环境中启用跨域请求,请设置 $.support.cors = true;。CORS WD
Just setting this property to true can't cause security vulnerability.
仅将此属性设置为 true 不会导致安全漏洞。
回答by Tim
When a hacker is able to inject script code to change the requests to another domain, he is also able to set this javascript flag in the script.
当黑客能够注入脚本代码来改变对另一个域的请求时,他也能够在脚本中设置这个 javascript 标志。
So wether this flag is set doesn't change much at this point of the intrusion.
因此,在入侵的这一点上,是否设置了此标志并没有太大变化。
