开发者

Requesting a website by client side script = Cross Side Scripting Hack. But requesting a website by server side script is not a hack! Why?

Generally, when we want to show the contents of some web page in the same page, we go for ajax requests. If say, I request to a web page in different domain with AJAX, it is not allowed because of the Cross side scripting error. But why is it allowed to access via a server side page. For e.g. we can use CURL in php to access any site.? Why is this feature OK for server side scripting and NOT O开发者_如何学运维K for Client Side Scripting?


Because a malicious script can open an external page without the premission of the user. For instance imagine an insecure textarea. If the contents of this textbox is shown to other users it might contain a script that connects to a remote host and sends sensitive user info to it. It all boils down to: server-side -> you are in control, client-side -> public, so prone to abuse.


See:

Same origin policy

In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜