如何使跨域表單CSRF和重放抗性?

[英]How to make a cross-domain form CSRF and replay resistant?


I'm contemplating making a project, but I'm wondering if cross-site request forgery would make it impossible to secure.

我正在考慮制作一個項目,但我想知道跨站點請求偽造是否會使其無法保證。

Basically, I want to have a web service that generates a form using the usual tricks(JSON-P and iframes) on another domain's page. So WebService.example.com generates a form's HTML, and it's shown to the user on User.example.com

基本上,我希望有一個Web服務,使用另一個域頁面上的常用技巧(JSON-P和iframe)生成表單。因此,WebService.example.com會生成表單的HTML,並在User.example.com上向用戶顯示

This form, I assume will have to use the injected iframe trick to submit the form from javascript. Because anyone would be able to just get the same data from WebService.example.com, how can I ensure that it's actually only coming from User.example.com? Preferably, without having to have any server-side code running on User.example.com.

這個表單,我假設必須使用注入的iframe技巧從javascript提交表單。因為任何人都可以從WebService.example.com獲取相同的數據,我怎樣才能確保它實際上只來自User.example.com?優選地,無需在User.example.com上運行任何服務器端代碼。

Note, I'll be using ASP.Net for the WebService, but I'd like it explained in a language/framework agnostic manner

注意,我將使用ASP.Net作為WebService,但我希望它以語言/框架無關的方式解釋

1 个解决方案

#1


1  

This is pretty hard to do without using server side scripts on both domains.

如果不在兩個域上使用服務器端腳本,這很難做到。

If you change your architecture and just use Cross-Domain Messaging (host the form etc in the top domain, use iframe for communication) then you could use the XDM to verify that it is indeed the intended domain you are talking to.

如果您更改架構並僅使用跨域消息傳遞(在頂級域中托管表單等,使用iframe進行通信),那么您可以使用XDM來驗證它確實是您正在與之交談的目標域。

If you only target HTML5-capable browsers then use postMessage, if you want broader support, and things like RPC etc then use easyXDM, which abstracts all of the hassle with cross-domain messaging.

如果你只針對支持HTML5的瀏覽器,那么使用postMessage,如果你想要更廣泛的支持,那么像RPC等那樣的東西然后使用easyXDM,它抽象了跨域消息傳遞的所有麻煩。

Actually, you can host your form in either document, you just need to use the XDM-communication in order to do a successful 'handshake', verifying the origin.

實際上,您可以在任一文檔中托管您的表單,您只需使用XDM通信即可成功進行“握手”,驗證原點。


注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2011/05/01/72a09e170d5c8fbc54c95f9132747f06.html



 
粤ICP备14056181号  © 2014-2020 ITdaan.com