这个问题是怎么样的一个重复的：为什么同源策略对于XMLHtt prequest

This question is kind of a duplicate of: Why same origin policy for XMLHttpRequest

然而，这个答案是不能令人满意，因为它没有解决的事实，有变通方法（如在问题注明）。答案只针对直接向XMLHtt prequest有关的安全问题，但这些问题仍然是present与JSONP（也可能是CORS，不知道）。因此，问题仍然存在 - 为什么有严格的同源策略时也有类似的解决方法是JSONP可以说的更糟糕（因为它是可执行的，而不是静态内容）

However, this answer isn't satisfactory because it doesn't address the fact that there are workarounds (as stated in the question). The answer only addresses security concerns related directly to the XMLHttpRequest but these problems are still present with JSONP (and possibly CORS, not sure). So the question still remains - Why have a strict Same Origin policy when there are workarounds like JSONP that's arguably even worse (because it's executable rather than static content)?

下面是一个例子： Company.com想使一个AJAX调用一些无保护的资源，像一些数据进行查找一个简单的公共API。 Company.com意识到这可能是不安全的，这样他们会仔细擦洗数据，以确保没有滑稽的生意。然而，XMLHtt prequest不允许这样，所以Company.com必须使用JSONP，但这将prevent数据的清理，并可能导致攻击者注入任意JavaScript到页面上。这怎么是一个更好的解决方案？

Here's an example: Company.com wants to make an AJAX call to some unprotected resource, like a simple public API for some data lookup. Company.com realizes that this may be insecure so they will carefully scrub the data to ensure there is no funny business. However, XMLHttpRequest does not allow this, so Company.com must use JSONP, but this would prevent the scrubbing of data and could result in an Attacker injecting arbitrary Javascript onto the page. How is this a better solution?

另外一个例子： Company.com具有脆弱性，攻击者可以注入的Javascript，其上则可以查看某个用户的页面（有一百万的方式会发生这种情况，这可能是最常见的网站攻击）。有了严格的同源策略，攻击者就可以乱用一整天的页面，但他不能给家里打电话，这是一个重要的细节，因为那意味着所有的数据是安全的。但JSONP（和图像标记），允许攻击者在网页刮去你所有的个人资料，并把它只要突破这一点。这仍然是一个现实，即使CORS，因为我可以告诉我的流氓服务器允许来自任何域的入站XS请求。

Another example: Company.com has a vulnerability and an attacker is able to inject Javascript onto the page which is then viewable by some user (there are a million ways this can happen; it's probably the most common website attack). With a strict Same-Origin policy, the attacker can mess with the page all day long but he can't "call home" which is an important detail because it means all your data is safe. But JSONP (and image tags) break this by allowing the attacker to scrape all your personal data from the page and send it wherever. This is still a reality even with CORS because I can tell my rogue server to allow inbound XS requests from any domain.

在换言之，在什么情况下确实锁定的XMLHtt prequest实际上提供更大程度的安全性

In other words, in what scenario does a locked-down XMLHttpRequest actually provide a greater degree of security?

推荐答案

您premise不正确。同源策略没有提到的网页，包括对外部域资源的能力。它prevents通过脚本是由不同来源，没有他们选入资直接访问资源。

Your premise is incorrect. The Same Origin Policy says nothing about the ability of a web page to include resources on an external domain. It prevents direct access to resources via scripting that are owned by different Origins without them opting in.

因此​​CORS和JSONP并非解决方法的同源策略。 CORS使原点，以选择在与反应XHR请求，并JSONP只是一个黑客以允许外部引用动态数据返回页面。

Therefore CORS and JSONP are not workarounds for the Same Origin Policy. CORS enables an Origin to opt in to XHR requests with responses, and JSONP is simply a hack to allow an external reference to return dynamic data to the page.

这里的关键是确保你的页面，让 XSS 不可能摆在首位。要做到这一点的重点应放在正确编码的文本输出到页面。这将prevent打电话回家作为攻击是不可能摆在首位。一个内容安全政策能帮助中和，管理到任何脚本漏网。在您的网站上定期的安全漏洞评估应该皮卡unen codeD输出 - 认为CSP为当这些被发现和固定的填补空白，虽然的浏览器支持是没有完全到那一步 - 特别是与Internet Explorer

The point here is to secure your page so that XSS is not possible in the first place. To do this the focus should be on correctly encoding text that is output to the page. This will prevent 'phoning home' as an attack will not be possible in the first place. A Content Security Policy can help neutralise any script that manages to slip through the net. A regular security vulnerability assessment on your website should pickup unencoded output - think of the CSP as filling in the gaps between when these are found and fixed, although browser support is not fully there yet - especially with Internet Explorer.

不过，XMLHtt prequest不允许这样，所以Company.com必须使用JSONP，但这将prevent数据的清理，并可能导致攻击者注入任意JavaScript到页面上。这怎么是一个更好的解决方案？

However, XMLHttpRequest does not allow this, so Company.com must use JSONP, but this would prevent the scrubbing of data and could result in an Attacker injecting arbitrary Javascript onto the page. How is this a better solution?

这是没有的。 CORS是一个更好的解决方案作为请求检索数据，而不是可执行code。 CORS允许XMLHtt prequest做到这一点。

It is not. CORS is a better solution as the request retrieves data rather than executable code. CORS allows XMLHttpRequest to do this.

随着CORS响应头访问控制 - 允许 - 原产地的 example.com 可以设置网站的所有者这

With the CORS response header Access-Control-Allow-Origin the website owner of example.com could set this to

Access-Control-Allow-Origin: https://company.com 

仅允许 company.com 客户端通过用户的浏览器访问的数据通过HTTPS。

to allow only company.com client-side access to the data over HTTPS via a user's browser.

在此CORS情况下， example.com 的信任 company.com 与该特定请求的数据响应只要。在与访问控制 - 允许 - 凭据组合头，他们可以选择请求来自于他们的浏览器用户的任何授权的cookie被发送请求，响应读取在JavaScript在 company.com 。

In this CORS scenario, example.com is trusting company.com with the data response for that particular request only. In combination with the Access-Control-Allow-Credentials header they can optionally request any authorisation cookies from the user at their browser be sent with the request, and the response to be read by JavaScript at company.com.

在一个JSONP情况下， company.com 将信任 example.com 与他们的整个原产地的。这意味着他们信任 example.com 与整个客户端站点的安全模型。 Example.com 可以做任何它想要 company.com 的网站。因此，如果 example.com 被黑客攻破，他们也可以控制 company.com 用户会话，一旦每个用户访问包含页面的＆LT;脚本SRC =HTTPS // example.com / ...标签

In a JSONP scenario, company.com would be trusting example.com with their whole Origin. This means they are trusting example.com with the whole client site security model. Example.com could do anything it wants to company.com's site. So if example.com is compromised by hackers, they could also control company.com user sessions once each user visits the page containing the <script src="https//example.com/... tag.

在换言之，在什么情况下确实锁定的XMLHtt prequest实际上提供更大程度的安全性

In other words, in what scenario does a locked-down XMLHttpRequest actually provide a greater degree of security?

到处都在互联网上。

说你登录到Gmail。为了便于讨论，说的Gmail有一个AJAX方法得到您的收件箱内容：

Say you were logged into Gmail. For argument's sake, say Gmail had an AJAX method that got your inbox contents:

https://gmail.com/services/inbox/get_conversations

现在，你在浏览网页和你的土地上我的网站， evil.com 。

Now, you are surfing the web and you land on my site, evil.com.

Evil.com 包含一些JavaScript，使POST请求 https://gmail.com/services/inbox/get_conversations ，将发送你的cookies，从 gmail.com 返回 gmail.com 为您登录

Evil.com contains some JavaScript to make a POST request to https://gmail.com/services/inbox/get_conversations, which will send your cookies from gmail.com back to gmail.com as you are logged in.

在 https://gmail.com/services/inbox/get_conversations 该服务将尽职尽责地回到您的收件箱中的内容。

The service at https://gmail.com/services/inbox/get_conversations will dutifully return the contents of your inbox.

如果没有同源策略锁定下来， evil.com 将能够读取数据在此响应。即任何站点可以阅读你的电子邮件。随着同源策略，将数据返回给浏览器，但没有客户端脚本可以从 gmail.com 读它除了（当然还有其他的起源允许CORS ）。例如，在这种情况下，谷歌可能允许下列：

Without the Same Origin Policy locking this down, evil.com would be able to read the data in this response. i.e. any site could read your email. With the Same Origin Policy, the data is returned to the browser but no client-side script can read it apart from gmail.com (and of course any other Origins allowed by CORS). For example, in this case Google might allow the following:

Access-Control-Allow-Origin: https://google.com

注：以上全部是由由我作为用于说明目的的例子，在没有办法反映了谷歌和Gmail如何真正做到这一点。原则上，这将是相同的。