<small id='qgF9h'></small><noframes id='qgF9h'>

    <tfoot id='qgF9h'></tfoot>
      <bdo id='qgF9h'></bdo><ul id='qgF9h'></ul>
    <i id='qgF9h'><tr id='qgF9h'><dt id='qgF9h'><q id='qgF9h'><span id='qgF9h'><b id='qgF9h'><form id='qgF9h'><ins id='qgF9h'></ins><ul id='qgF9h'></ul><sub id='qgF9h'></sub></form><legend id='qgF9h'></legend><bdo id='qgF9h'><pre id='qgF9h'><center id='qgF9h'></center></pre></bdo></b><th id='qgF9h'></th></span></q></dt></tr></i><div id='qgF9h'><tfoot id='qgF9h'></tfoot><dl id='qgF9h'><fieldset id='qgF9h'></fieldset></dl></div>
    1. <legend id='qgF9h'><style id='qgF9h'><dir id='qgF9h'><q id='qgF9h'></q></dir></style></legend>
    2. 如何保护小部件免受伪造请求

      How to protect widgets from forged requests(如何保护小部件免受伪造请求)

        <tfoot id='JigAd'></tfoot>

        <small id='JigAd'></small><noframes id='JigAd'>

            <bdo id='JigAd'></bdo><ul id='JigAd'></ul>
          • <legend id='JigAd'><style id='JigAd'><dir id='JigAd'><q id='JigAd'></q></dir></style></legend>
            <i id='JigAd'><tr id='JigAd'><dt id='JigAd'><q id='JigAd'><span id='JigAd'><b id='JigAd'><form id='JigAd'><ins id='JigAd'></ins><ul id='JigAd'></ul><sub id='JigAd'></sub></form><legend id='JigAd'></legend><bdo id='JigAd'><pre id='JigAd'><center id='JigAd'></center></pre></bdo></b><th id='JigAd'></th></span></q></dt></tr></i><div id='JigAd'><tfoot id='JigAd'></tfoot><dl id='JigAd'><fieldset id='JigAd'></fieldset></dl></div>
                <tbody id='JigAd'></tbody>

                本文介绍了如何保护小部件免受伪造请求的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                问题描述

                假设您有一个 JavaScript 小部件,当且仅当用户想要单击它时,它才需要向您的 Web 应用程序发出请求.您不希望此请求易受 CSRF 攻击,因此您将 iframe 写入页面.根据源继承规则,父站点将无法读取 CSRF 令牌.但是点击劫持(或 likejacking )呢?由于 CSRF,您必须在 iframe 中,并且对于 x-frame-options 无能为力,并且frame-busters 也是如此.

                Lets say you have a JavaScript widget which needs to fire off a request to your web application if and only if the user wants to click on it. You don't want this request to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters.

                攻击者将在小部件加载后对 iframe 应用 SVG 掩码.此蒙版将使 iframe 不可见.此时,攻击者可以将 iframe 的大小调整为页面大小,或者让这个现在不可见的 iframe 跟随光标.无论何时用户点击页面上的任何位置,iframe 都会收到点击事件并结束游戏.

                The attacker is going to apply an SVG mask the iframe after the widget has loaded. This mask will make the iframe invisible. At this point the attacker can either resize the iframe to be the size of the page or have this now invisible iframe follow the cursor. Either way whenever the user clicks anywhere on the page, the iframe receives the click event and its game over.

                所以有一个二元性,你似乎被困在 CSRF 和 Clickjacking 之间.这个问题的最佳解决方案(如果有的话)是什么?

                So there is a duality, it seems you are stuck between CSRF and Clickjacking. What the best solution (if any) to this problem?

                推荐答案

                点击widget需要打开一个包含新页面的弹窗——iframe不行,必须是新窗口——这完全在您的 Web 应用程序的控制之下.在该页面上确认操作,无论它是什么.

                Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.

                是的,这有点不雅,但目前的 Web 安全架构并没有给您任何更好的选择.

                Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.

                这篇关于如何保护小部件免受伪造请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

                相关文档推荐

                Pause youtube video, youtube api(暂停 youtube 视频,youtube api)
                Youtube iframe api not triggering onYouTubeIframeAPIReady(Youtube iframe api 未触发 onYouTubeIframeAPIReady)
                How can I stop a video with Javascript in Youtube?(如何在 Youtube 中停止使用 Javascript 的视频?)
                How to call Greasemonkey#39;s GM_ functions from code that must run in the target page scope?(如何从必须在目标页面范围内运行的代码中调用 Greasemonkey 的 GM_ 函数?)
                How do you mute an embedded Youtube player?(如何使嵌入式 Youtube 播放器静音?)
                How to get number of video views with YouTube API?(如何使用 YouTube API 获取视频观看次数?)

                  <bdo id='KMsTx'></bdo><ul id='KMsTx'></ul>
                    <tbody id='KMsTx'></tbody>
                      <i id='KMsTx'><tr id='KMsTx'><dt id='KMsTx'><q id='KMsTx'><span id='KMsTx'><b id='KMsTx'><form id='KMsTx'><ins id='KMsTx'></ins><ul id='KMsTx'></ul><sub id='KMsTx'></sub></form><legend id='KMsTx'></legend><bdo id='KMsTx'><pre id='KMsTx'><center id='KMsTx'></center></pre></bdo></b><th id='KMsTx'></th></span></q></dt></tr></i><div id='KMsTx'><tfoot id='KMsTx'></tfoot><dl id='KMsTx'><fieldset id='KMsTx'></fieldset></dl></div>

                      <legend id='KMsTx'><style id='KMsTx'><dir id='KMsTx'><q id='KMsTx'></q></dir></style></legend>
                      1. <tfoot id='KMsTx'></tfoot>
                        • <small id='KMsTx'></small><noframes id='KMsTx'>