Geek asks and answers

Is it safe to use jsonp if I need authentication headers?

I want to use jsonp so that other sites can receive json data from my site. I understand that it would be dangerous if I used cookies to authenticate users, because browsers sent cookies with all the requests to my site, so an malicious page could fulfill authenticated requests for the behavior of my users without asking them.

All requests to my service must be authenticated using a special set of headers in the request X-AG-AUTH. This header should contain a secret token that identifies the user.

Can a malicious site get data from my service through jsonp without providing the user with a secret token?

+3
source share
1 answer

Well, requiring the custom header for the jsonp call to display the useless jsonp call for requests coming from other domains, because your callers will not be able to set these headers.

You can use a somewhat similar approach: it requires a CSRF-style token token passed as a parameter in the POST request. This will require that you share both the logic for generating these tokens and the secret key with each site that you want to allow to call your endpoint. Of course, if any of these keys were ever compromised on the remote server side, you probably would not have known about this before it was too late.

, JSON CORS * -, script.

, , , , , SSL.

0

More articles:


All Articles