I am curious as to what, if any, security concerns other develpers have in regards to the use of JQuery plugins. I have seen very little talk about security where JQuery is concerned. Is it really a non issue?
我很好奇,如果有的话,其他开发人员对JQuery插件的使用有什么安全问题。我很少看到关于JQuery安全性的讨论。这真的不是问题吗?
Appreciate your thoughts!
欣赏你的想法!
3 个解决方案
#1
7
Personally I am comfortable enough with Javascript to be able to swiff through the plugin code and understand possible misbehavior.
就我个人而言,我对Javascript很满意,可以通过插件代码来快速浏览,并了解可能的错误行为。
What I look for is the most relevant security issue with javascript, cross-domain communication, which is usually done with the creation of iframes, script/img tags etc..
我寻找的是javascript中最相关的安全问题,跨域通信,通常是通过创建iframe、脚本/img标记等来完成的。
Most of the times though, I trust the community, for example if it's up on http://plugins.jquery.com/ it is usually a trusted source.
但大多数时候,我信任这个社区,例如如果它在http://plugins.jquery.com/上,那么它通常是一个受信任的来源。
#2
2
jQuery can't do anything that javascript itself can't do, so all the same security standards apply. Basically - never rely on it for security. Always validate all inputs on the server side.
jQuery不能做任何javascript本身不能做的事情,所以所有的安全标准都适用。基本上,永远不要依赖它来保证安全。始终验证服务器端上的所有输入。
The best way to think of it is that from a security perspective, the client-side javascript is not actually a part of your application. Your application consists of all the possible http calls to your server. For good security, assume that hackers won't even be using a browser - they'll be making http requests directly to your server. Make sure that you aren't exposing any vulnerabilities in your http endpoints, and you should be ok.
最好的方法是,从安全的角度来看,客户端javascript实际上并不是应用程序的一部分。应用程序包含对服务器的所有可能的http调用。为了更好的安全性,假设黑客甚至不会使用浏览器——他们将直接向您的服务器发出http请求。确保在http端点中没有暴露任何漏洞,应该没问题。
note: I made the assumption in this reply that you're talking about data and system security. User security (preventing your users from being phished, etc) is another kettle of fish, but I'm not sure it has to do with jQuery any more than javascript in general.
注意:我在这个回复中假设您正在讨论数据和系统安全性。用户安全性(防止用户被钓鱼等等)是另一个问题,但我不确定它与jQuery的关系是否比javascript的关系更大。
#3
0
The most popular ones are used all over the web on major web sites. If there is a security concern, someone else has probably already noted it. Also, a lot of the most-used jQuery plug-ins come from the same developers who are very active in the community, so it's fairly safe to trust them. (Jörn Zaefferer, the guy who did the validation plug-in, comes to mind)
最流行的是在主要的网站上使用的。如果存在安全隐患,其他人可能已经注意到了。另外,许多使用最多的jQuery插件都来自于在社区中非常活跃的相同的开发人员,所以信任他们是相当安全的。(我想到了做验证插件的Jorn Zaefferer)
Granted, it's a good idea to always test and always be skeptical, but at some point it becomes cost inefficient to worry too much.
当然,总是进行测试并保持怀疑是一个好主意,但是在某种程度上,过多的担心会降低成本。
#1
7
Personally I am comfortable enough with Javascript to be able to swiff through the plugin code and understand possible misbehavior.
就我个人而言,我对Javascript很满意,可以通过插件代码来快速浏览,并了解可能的错误行为。
What I look for is the most relevant security issue with javascript, cross-domain communication, which is usually done with the creation of iframes, script/img tags etc..
我寻找的是javascript中最相关的安全问题,跨域通信,通常是通过创建iframe、脚本/img标记等来完成的。
Most of the times though, I trust the community, for example if it's up on http://plugins.jquery.com/ it is usually a trusted source.
但大多数时候,我信任这个社区,例如如果它在http://plugins.jquery.com/上,那么它通常是一个受信任的来源。
#2
2
jQuery can't do anything that javascript itself can't do, so all the same security standards apply. Basically - never rely on it for security. Always validate all inputs on the server side.
jQuery不能做任何javascript本身不能做的事情,所以所有的安全标准都适用。基本上,永远不要依赖它来保证安全。始终验证服务器端上的所有输入。
The best way to think of it is that from a security perspective, the client-side javascript is not actually a part of your application. Your application consists of all the possible http calls to your server. For good security, assume that hackers won't even be using a browser - they'll be making http requests directly to your server. Make sure that you aren't exposing any vulnerabilities in your http endpoints, and you should be ok.
最好的方法是,从安全的角度来看,客户端javascript实际上并不是应用程序的一部分。应用程序包含对服务器的所有可能的http调用。为了更好的安全性,假设黑客甚至不会使用浏览器——他们将直接向您的服务器发出http请求。确保在http端点中没有暴露任何漏洞,应该没问题。
note: I made the assumption in this reply that you're talking about data and system security. User security (preventing your users from being phished, etc) is another kettle of fish, but I'm not sure it has to do with jQuery any more than javascript in general.
注意:我在这个回复中假设您正在讨论数据和系统安全性。用户安全性(防止用户被钓鱼等等)是另一个问题,但我不确定它与jQuery的关系是否比javascript的关系更大。
#3
0
The most popular ones are used all over the web on major web sites. If there is a security concern, someone else has probably already noted it. Also, a lot of the most-used jQuery plug-ins come from the same developers who are very active in the community, so it's fairly safe to trust them. (Jörn Zaefferer, the guy who did the validation plug-in, comes to mind)
最流行的是在主要的网站上使用的。如果存在安全隐患,其他人可能已经注意到了。另外,许多使用最多的jQuery插件都来自于在社区中非常活跃的相同的开发人员,所以信任他们是相当安全的。(我想到了做验证插件的Jorn Zaefferer)
Granted, it's a good idea to always test and always be skeptical, but at some point it becomes cost inefficient to worry too much.
当然,总是进行测试并保持怀疑是一个好主意,但是在某种程度上,过多的担心会降低成本。