zoukankan      html  css  js  c++  java
  • JSONP for cross-site Callbacks 【转】

    转自:http://weblog.west-wind.com/posts/2007/Jul/04/JSONP-for-crosssite-Callbacks


    JSONP is an unofficial protocol that allows making cross domain calls by generating script tags in the current document and expecting a result back to calls a specified callback handler.

    The client JavaScript code to make a JSONP call looks like this:

    function jsonp(url,callback,name, query)
    {                
        if (url.indexOf("?") > -1)
            url += "&jsonp=" 
        else
            url += "?jsonp=" 
        url += name + "&";
        if (query)
            url += encodeURIComponent(query) + "&";   
        url += new Date().getTime().toString(); // prevent caching        
        
        var script = document.createElement("script");        
        script.setAttribute("src",url);
        script.setAttribute("type","text/javascript");                
        document.body.appendChild(script);
    }

    The idea is that this code adds a <script> tag dynamically to the page and when this code loads it causes the JavaScript that the server loads to be executed. Because it uses the DOM and a <script> tag this gets around the cross site scripting limitations of the XHR object.

    The server is expected to return JSON data, but with a slight twist: It has to prepend the callback function name, which is passed as part of the url. The syntax for a JSONP Url is simply the URL with a jsonp= query string parameter that defines the the callback function:

    http://someserver.com/mypage.aspx?jsonp=callbackFunction

    If the server wants to return a result like:

    { "x": 10, "y": 15}

    the result will be turned into (assuming the callback specified is callbackFunction):

    callbackFunction( { "x": 10, "y": 15} )

    If you're implementing this in an ASPX.NET page it might look like this:

    public partial class JSONP : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (!string.IsNullOrEmpty(Request.QueryString["jsonp"]) )
                this.JsonPCallback();
        }
    
        public void JsonPCallback()
        {
            string Callback = Request.QueryString["jsonp"];
            if (!string.IsNullOrEmpty(Callback))
            {
                // *** Do whatever you need
                Response.Write(Callback + "( {"x":10 , "y":100} );");
            }
    
            Response.End();
        }
    }

    The client will now have  script tag that gets added to the document and the script executes on load and in effect calls the callbackFunction with the parameter:

    function callbackFunction(Result)
    {
        alert(Result.x + "  " + Result.y) ;
    }

    And there's a cross domain callback.

    Note that this callback requires that the server KNOWS it's receiving a JSONP request because the server has to prepend the callback handler name supplied so the code can fire in the client.

    Yeah it seems like an Exploit

    I'm not sold on the idea, because it is basically exploiting what seems to be a security hole in the browser and one that apparently won't be plugged as many services like Adsense rely on it. But all this talk about preventing cross site scripting are pretty much moot by allowing this sort of hack to work. But then again this implementation doesn't do anything that couldn't be done before or changes any of the security issues - it just takes advantage of this functionality.

    Still - it feel... wrong <g>...

    It is what it is and it seems this approach is getting more popular in being able to retrieve JSON content from various public sites. It certainly is something that should be useful for ASP.NET developers who internally need to make client callbacks to their own internal sites which seems a frequent request.

  • 相关阅读:
    Docker+Nginx 部署Vue+Element前端项目
    MySql取字段逗号分隔的第一个
    Mysql数据库中从表字段中存储了主表以逗号隔开的主键ID,现需求查询从表数据以及以逗号隔开的字段改为主表名称隔开(group_count() find_in_set())
    IIS 错误500.21解决方法
    IIS 出现500.19 错误处理解决方式
    Linux中vim的三种模式
    Centos7 .Net Core 使用Supervisor守护进程,进行后台运行
    Nginx反代理ASP.NET Core项目
    C# vb .net实现圆角矩形特效滤镜
    C# vb .net实现旋转特效滤镜
  • 原文地址:https://www.cnblogs.com/shrekuu/p/4466104.html
Copyright © 2011-2022 走看看