Calling HTTPS from HTTP through AJAX for login

2019-03-09 23:55发布

问题:

I know its violates the Same origin policy, and that is why it is not possible through simple ajax request. I could use JSONP. But using JSONP for login doesn't sound secure ( no post only get ).

So is there a more secure way of implementing login into https through ajax ?

回答1:

Not only does it violate the same origin policy, but since the page you are calling from is insecure it has the potential to be interfered with and leak all the data you are trying to keep secure.

Use HTTPS for the entire process.

Better yet, keep using HTTPS while people are logged in, otherwise you will have the Firesheep problem.



回答2:

As we've discussed in the comments below, this is what Facebook does for their registration page, although there are some vulnerabilities to this method. While it won't appear secure to the user (no lock icon), the actual request is done over HTTPS. If you controlled the entirety of the receiving page, there would be nothing less secure about doing a JSONP request over GET. However, a man-in-the-middle attack could modify the receiving page on load, and cause the returned credentials to be sent to an attacker.

On the plus side though, no one that's just sniffing packets is going to be able to get the credentials: an attack would have to be fairly targeted.

Regarding cookies, technically, JSONP could "return" cookies; you'd just return name-value pairs of the cookies you wanted to set, and have a function on the receiving page set them.

But unless the browser treats <script>s differently, and it might, you should be able to set a cookie in the normal way using the Response Headers of your JSONP response.