开发者

How to use JSONP to overcome XSS issue?

问答 作者:

I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the开发者_如何转开发 socket, however the XHR response seems to be getting blocked.

I have heard that I can use JSONP to overcome this problem. However as I am new to both javascript and I have never used JSONP technique before I would greatly appreciate any help in how to use this technique?

function sendPost(url, postdata, callback) {

xmlHttp=GetXmlHttpObject()

if (xmlHttp==null) {
    alert ("Browser does not support HTTP Request")
    return
} 

xmlHttp.onreadystatechange=callback
xmlHttp.open("POST",url,true)
xmlHttp.send(postdata);

}

function sendInitRQ(width, height) {

var post = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><command     type=\"init\"><width>" + width + "</width><height>" + height + "</height></command>";

sendPost("http://localhost:80/socket.php", post, initReturned);

}

I know that the php socket is recieving the post as when i check the server log i get a 200 on the get request.

I just want to know how can I use the JSONP approach? I have seen exampples of the approach but Iam stilll unsure of how to do it.

The JSONP technique uses a completely different mechanism for issuing HTTP requests to a server and acting on the response. It requires cooperating code in the client page and on the server. The server must have a URL that responds to HTTP "GET" requests with a block of JSON wrapped in a function call. Thus, you can't just do JSONP transactions to any old server; it must be a server that explicitly provides the functionality.

The idea is that your client-side code creates a <script> block dynamically, with the "src" attribute set to the URL of the JSONP server. The URL should contain a parameter telling the server the name of the Javascript function you expect it to call with the JSON data. (Exactly what parameter name to use depends on the server; usually it's "callback", but I've seen some that use "jsonp".) The client must of course have that function in the global scope. In other words, if you have a function like

function handleJSON(json) {
  var something = json.something;
  // ... whatever ...
}

then your URL tells the server to call "handleJSON", and the server response should look like this:

handleJSON({"id": 102, "something": { "more": "data", "random": true }});

Thus when the <script> block is loaded from the "src" URL you gave, the browser will interpret the contents (the response from the server) and your function will be called.

It should be clear that you should only make JSONP requests to servers you trust, since they're sending back code to execute in your client, with access to any active session(s) your client has with other secured sites.

edit — Here's a nice article: http://www.ibm.com/developerworks/library/wa-aj-jsonp1/

继续阅读:javascriptjsonpxmlhttprequestxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9