开发者

If a HTTP web page makes an ajax request to a HTTPS url is the post secure?

开发者 https://www.devze.com 2023-01-28 13:46 出处:网络
If I created an html/jquery widget that was meant to be placed on 3rd party websites (where users are expected to have extremely low technical knowledge and probably lacking an SSL certificate) and us

If I created an html/jquery widget that was meant to be placed on 3rd party websites (where users are expected to have extremely low technical knowledge and probably lacking an SSL certificate) and used jquery to AJAX Post the information of the widget to a secure url the information posted would be secured properly correct?

Edit: Can anyone elaborate on the same origin policy / implications of having a site that开发者_如何学Go has no SSL certificate in regards to it?


The data would be secure in transit, but the page making the request could be intercepted and modified in before reaching the client so the request could be diverted or modified. (Simple case - make two requests instead of one, one to the secure server and one to a hacker's server)

If you want security then you need to have both the page performing data collection/submission and the page processing the data passed over SSL.

(You would also have to deal with the issue of Same Origin Policy.)


That depends on the definition you want to use for "Secure". Security is subjective, and some people have a more "broad" definition of "secure" than others.

If by "Secure" you're asking if a sniffer can get your post across the network, then sure, using https would make it secure in that regards.

However, if the page is doing this post to your server to do anything that the user might not want it to do, then by MY definition it's not secure.

For example, I would be fine with this script calling your service if your service were providing data back to the site (for a legitimate purpose in other words). A good example would be calling your site to provide a stock quote, or a joke-of-the-day that shows up on the page, that's fine,.

BUT if your script was doing a post to track my presence on the site, add me to a potential mailing list, steal my data, or any purpose other than what's needed for me to do my work on your site, then you're violating my privacy, or at least doing something behind the scenes that I really don't anticipate or want to happen. In that case, by definition, any activity that uses stealth to track me or steal my personal and/or financial data (including my browsing habits) is a security violation.

Also, if your script in any way weakens existing defenses on teh web page or introduces new vulnerabilities, then no, it's not secure by anyone's definition.


Yes, it will use HTTPS for the Ajax request.

However you cannot make an off-site request (same-origin policy), and when your client lacks a proper SSL certificate, I don't see how you would make a secure AJAX request (?).

0

精彩评论

暂无评论...
验证码 换一张
取 消