问题描述
这很奇怪,我想知道是否有人可以解释为什么会发生这种情况。
This is bizarre, I was wondering if anyone could shed some light on why this happened.
基本上,我一直试图测试JSONP我可以实现其他网站可以使用的JSON Web服务。我正在localhost上进行开发 - 特别是Visual Studio 2008和Visual Studio 2008的内置Web服务器。
Basically, I've been pulling my hair out trying to test JSONP out so I can implement a JSON web service that other sites can use. I'm doing development on localhost--specifically, Visual Studio 2008 and Visual Studio 2008's built-in web server.
所以作为JSONP测试运行w / jQuery,我实现了以下内容:
So as a JSONP test run w/ jQuery, I implemented the following:
$().ready(function() {
debugger;
try {
$.getJSON("<%= new Uri(Request.Url, "/").ToString() %>XssTest?callback=?", function(data) {
alert(data.abc);
});
} catch (err) {
alert(err);
}
});
并且在服务器上..
<%= Request["callback"] %>({abc : 'def'})
所以最终发生的事情是我在服务器上设置一个断点,我在第一个调试器上得到了断点。客户端脚本以及服务器上的语句。页面加载后确实会调用JSONP URL。这工作得很好。
So what ends up happening is I set a breakpoint on the server and I get the breakpoint both on the first "debugger;" statment in the client-side script as well as on the server. The JSONP URL is indeed being invoked after the page loads. That's working great.
我遇到的问题是回调永远不会执行。我在IE8和Firefox 3.5中测试了这个。两个人都不会调用回调。从未达到过捕获(错误)。什么都没发生!
The problem I was having was that the callback would never execute. I tested this in both IE8 as well as Firefox 3.5. Neither one would invoke the callback. The catch(err) was never reached, either. Nothing happened at all!
我已经坚持了一个星期,甚至在指定端口上的Telnet中使用手动键控的HTTP请求进行测试,以确保服务器返回格式...
I'd been stuck on this for a week, and even tested with a manually keyed HTTP request in Telnet on the specified port to be sure that the server is returning the format...
callbackfn({abc : 'def'})
..它是。
然后我明白了,什么如果我使用globalizer('。')将主机名从localhost更改为localhost,即而不是(是的,在任何主机名上添加一个点是合法的,它DNS是什么 global ::
是C#名称空间)。然后它奏效了!当我刚添加一个点时,Internet Explorer和Firefox 3.5终于向我显示了一条警告消息。
Then it dawned on me, what if I change the hostname from localhost to localhost with a globalizer ('.'), i.e http://localhost.:41559/ instead of http://localhost:41559/ (yes, adding a dot to any hostname is legal, it is to DNS what global::
is to C# namespaces). And then it worked! Internet Explorer and Firefox 3.5 finally showed me an alert message when I just added a dot.
所以这让我想知道,这里发生了什么?为什么后期脚本标记生成使用Internet主机名而不是普通的localhost?或者这是正确的问题?
So this makes me wonder, what is going on here? Why would late script tag generation work with an Internet hostname and not with plain localhost? Or is that the right question?
显然这是出于安全原因而实施的,但他们试图保护什么?并且,通过使用点来处理它,我是否只是在这个安全功能中暴露了一个安全漏洞?
Clearly this is implemented for security reasons, but what are they trying to secure?? And, by getting it to work with a dot, did I just expose a security hole in this security feature?
顺便说一下,我的主机文件,同时改为其他主机,没有什么特别的localhost;默认的127.0.0.1 / :: 1仍然存在,下面没有覆盖。
By the way, my hosts file, while altered for other hosts, has nothing special going on with localhost; the default 127.0.0.1 / ::1 are still in place with no overrides below.
关注:我已经超越了本地开发目的通过添加:
FOLLOW-UP: I got past this for local development purposes by adding:
127.0.0.1 local.mysite.com
..到我的hosts文件,然后将以下代码添加到我的global.asax:
.. to my hosts file, then adding the following code to my global.asax:
protected void Application_BeginRequest(object sender, EventArgs e)
{
if (Request.Headers["Host"].Split(':')[0] == "localhost")
{
Response.Redirect(
Request.Url.Scheme
+ "://"
+ "local.mysite.com"
+ ":" + Request.Url.Port.ToString()
+ Request.Url.PathAndQuery
, true);
}
}
推荐答案
我我要在那里扔答案;经过一番思考后,我得出了自己的结论。
I'm going to throw an answer out there; after some thought I've reached my own conclusions.
可能是这是一个安全功能,旨在阻止互联网网站调用运行的JSONP服务在客户端计算机上。
It could be that this is a security feature that's implemented to try to thwart an Internet web site from invoking JSONP services running on the client machine.
网站可以浏览一个端口列表,并继续在不同的端口和路径上调用localhost。 Localhost是少数几个具有动态意义的DNS主机名之一,具体取决于查询的时间和地点,使潜在目标易受攻击。是的,将一个点(。)附加到'localhost'('localhost。')产生一个可行的解决方法的事实确实暴露了一个安全漏洞,但确实为开发目的提供了[试验性]解决方法。
A web site could just go through a list of ports and keep invoking localhost on different ports and paths. 'Localhost' is one of few DNS hostnames that are dynamic in meaning depending on when and where it's queried, making the potential targets vulnerable. And yes, the fact that appending a dot (.) to 'localhost' ('localhost.') produces a working workaround does expose a security vulnerability, but does offer a [tentative] workaround for development puposes.
更好的方法是将环回IP映射到hosts文件中的新主机名条目,以便它在本地工作,不容易被修复浏览器更新,并且在开发工作站上的其他任何地方都不起作用。
A better approach is to map the loopback IP to a new hostname entry in the hosts file so that it works locally, isn't prone to be "fixed" by a browser update, and doesn't work anywhere else but on the development workstation.
这篇关于在localhost上运行时,JSONP回调不会执行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!