Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
521 views
in Technique[技术] by (71.8m points)

xss - Is it safe to use $.support.cors = true; in jQuery?

I was trying to hit a web service on a different domain using jQuery's ajax method. After doing some research it looks like it does not allow this is by design to prevent cross site scripting.

I came across a work around which was to include this line:

$.support.cors = true;

at the top of my javascript code. From what I understand this enables cross site scripting in jQuery.

Does having this line of code make my site more vulnerable to attack? I've always heard XSS discussed as a security issue, are there legitimate uses for XSS?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.

"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.

The $.support.cors query feature relies upon the Access-Control-Allow-Origin HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: * on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid * as much as possible.

So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...