A, JSONP why things
JSONP stands for JSON with Padding, is JSON format based solutions to solve cross-domain requests resources generated. He achieved the basic principle is the use of HTML in the <script> </ script> element tags, remote call JSON files to achieve data transfer.
Detailed description can look at this: https://blog.csdn.net/hansexploration/article/details/80314948
Follow the article's point of view, jsonp is the use of dynamic js ajax call to achieve the effect, but it can realize the function of access to data across domains.
Two, JSONP hijacking
JSONP technology can be achieved through cross-domain data access, would have a security problem, if site B does not carry out safety checks on the data returned directly JSONP request for Site A, then B will exist JSONP website vulnerabilities, website use JSONP A vulnerability can obtain the user data on the website of B:
-
Users register and log in on the site B, site B contains the user's id, name, email and other information;
-
User sends a URL request to the A site through a browser;
-
A return to the site in response to a user page, page response registered in the JavaScript callback function and script tag request to site B;
-
The user receives the response, parses JS code, the callback function will make a request to the site as a parameter B;
-
Site B after receiving the request, the URL resolution request, to JSON generate data request format required by, the encapsulated JSON data containing user information back to the browser as an argument to the callback function;
-
After the website B data is returned, the browser is automatically performed Callback function step JSON-formatted data returned 4 processed data back to the server site A, so the site A using the website B's JSONP loopholes they get to the user registration on the website B Information.
Third, defense
jsonp hijacking greatest harm is important information such as cookie, and other private information leakage, defense as follows:
1, strict implementation of security CSRF invoke JSON file: restrictions Referer, such as Token-time deployment.
2, mounting strict standard output JSON format and coding Content-Type (Content-Type: application / json; charset = utf-8).
3, strict filtering callback function name and the output in JSON data.
4, severe restrictions on the length of the output JSONP callback function name (e.g., the above method of defending flash output).
5, a number of relatively small minority of other methods: such as adding other characters before Callback output (such as: / ** /, carriage return line feed) this does not affect the JSON file is loaded, but also to some extent prevent other output file formats. Gmail further example embodiment using AJAX early acquisition JSON, heard added while (1) before outputting the JSON; JS prevent such code to a remote call.
