What is JSONP (JSON with Padding)?
What? You still don’t know what JSONP is? Go ahead and fix it. I won’t go into that. Fill a baidu encyclopedia link, first baike.baidu.com/item/jsonp/…
What are the security risks? How to prevent?
Let’s assume a scenario where I log in www.qq.com and QQ may have such a JSONP interface, www.qq.com/getUserInfo?callback=action, in order to provide services to third parties. Then I can construct a malicious page by myself. Request this JSONP interface, put on the network, collect qq user information up. Even happier if the JSONP interface also involves sensitive operations or information, such as logging in, deleting, etc. However, many domestic back-end development do not pay attention to this problem, suddenly remembered the old backend development to speed up the development, write a general function, as long as can GET access to the interface can be accessed by JSONP. Emmm…
In the first case, the source of the JSONP call (Referer) needs to be verified. This scheme makes use of the feature that the Referer is sent when the JS resource is loaded, and the server can determine whether the Referer is whitelist. This is easy to say, but in practice it can be bypassed by the loose regularity of the filtering. For example, if I only verify the presence of the www.qq.com keyword, I can construct www.qq.com.domain.com to attack. For example, many developers will allow empty Referer, and cross-protocol js calls do not send Referer, which is an example of a thousand miles in a row.