Requesting a website by client side script = Cross Side Scripting Hack. But requesting a website by server side script is not a hack! Why?

 ̄綄美尐妖づ 提交于 2019-12-06 14:35:22

问题


Generally, when we want to show the contents of some web page in the same page, we go for ajax requests. If say, I request to a web page in different domain with AJAX, it is not allowed because of the Cross side scripting error. But why is it allowed to access via a server side page. For e.g. we can use CURL in php to access any site.? Why is this feature OK for server side scripting and NOT OK for Client Side Scripting?


回答1:


Because a malicious script can open an external page without the premission of the user. For instance imagine an insecure textarea. If the contents of this textbox is shown to other users it might contain a script that connects to a remote host and sends sensitive user info to it. It all boils down to: server-side -> you are in control, client-side -> public, so prone to abuse.




回答2:


See:

Same origin policy

In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.



来源:https://stackoverflow.com/questions/3023050/requesting-a-website-by-client-side-script-cross-side-scripting-hack-but-requ

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!