Assuming I do the same field validation in either case, is there any difference in terms of security whether you POST a form back to its own file or to another?
假设我在任何一种情况下进行相同的字段验证,无论是将表单发布回自己的文件还是另一个文件,安全性方面是否存在差异?
Note that I'm not referring to sensitive information or passwords within the form data, but to whether either method is better at avoiding various types of attacks.
请注意,我不是指表单数据中的敏感信息或密码,而是指两种方法是否更好地避免各种类型的攻击。
4 个解决方案
#1
It does not make a difference. The page accepting the form input has no idea where the data came from (the HTTP referrer is trivial to spoof) and any security effort would depend on things completely unrelated to page the form data came from.
它没有任何区别。接受表单输入的页面不知道数据来自何处(HTTP引用程序对于欺骗是微不足道的),并且任何安全性工作都将取决于与表单数据来源完全无关的事物。
#2
It does make a difference actually- Mainly because if you post back to itself, it doesn't make a new history entry, but if you post to a different page it does make a new history entry in the browser. This is mainly of interest to public terminals, and in browsers that remember the contents of forms.
它实际上确实有所不同 - 主要是因为如果你回发自己,它不会创建一个新的历史记录条目,但如果你发布到另一个页面,它确实在浏览器中创建一个新的历史记录条目。这主要是对公共终端以及记住表单内容的浏览器感兴趣。
- fill out a form
- submit
- leave computer
- nefarious individual hits the back button and reads the contents of the form.
填写表格
邪恶的个人点击后退按钮并读取表格的内容。
I also think to fully prevent that sort of attack, you'd need to involve a 301 redirect. That is you post to the url, and the url responds with a 301 sending you back to the original page.
我也认为要完全防止这种攻击,你需要涉及301重定向。那就是你发布到网址,网址以301响应,将你发送回原始页面。
#3
If they're both files on your server, under your control, then it doesn't make a difference.
如果它们是您服务器上的两个文件,在您的控制之下,则它没有任何区别。
#4
No, it does not matter at all. All you are doing is sending a HTTP request to a URL. Your server handles the request and sends the response back to the user. If the response happens to be the same page as the one sending the request, it does not make the application any more secure or vulnerable to any kind of attack over HTTP.
不,这根本不重要。您所做的只是向URL发送HTTP请求。您的服务器处理请求并将响应发送回用户。如果响应恰好与发送请求的页面相同,则不会使应用程序更安全,也不会受到任何类型的HTTP攻击。
#1
It does not make a difference. The page accepting the form input has no idea where the data came from (the HTTP referrer is trivial to spoof) and any security effort would depend on things completely unrelated to page the form data came from.
它没有任何区别。接受表单输入的页面不知道数据来自何处(HTTP引用程序对于欺骗是微不足道的),并且任何安全性工作都将取决于与表单数据来源完全无关的事物。
#2
It does make a difference actually- Mainly because if you post back to itself, it doesn't make a new history entry, but if you post to a different page it does make a new history entry in the browser. This is mainly of interest to public terminals, and in browsers that remember the contents of forms.
它实际上确实有所不同 - 主要是因为如果你回发自己,它不会创建一个新的历史记录条目,但如果你发布到另一个页面,它确实在浏览器中创建一个新的历史记录条目。这主要是对公共终端以及记住表单内容的浏览器感兴趣。
- fill out a form
- submit
- leave computer
- nefarious individual hits the back button and reads the contents of the form.
填写表格
邪恶的个人点击后退按钮并读取表格的内容。
I also think to fully prevent that sort of attack, you'd need to involve a 301 redirect. That is you post to the url, and the url responds with a 301 sending you back to the original page.
我也认为要完全防止这种攻击,你需要涉及301重定向。那就是你发布到网址,网址以301响应,将你发送回原始页面。
#3
If they're both files on your server, under your control, then it doesn't make a difference.
如果它们是您服务器上的两个文件,在您的控制之下,则它没有任何区别。
#4
No, it does not matter at all. All you are doing is sending a HTTP request to a URL. Your server handles the request and sends the response back to the user. If the response happens to be the same page as the one sending the request, it does not make the application any more secure or vulnerable to any kind of attack over HTTP.
不,这根本不重要。您所做的只是向URL发送HTTP请求。您的服务器处理请求并将响应发送回用户。如果响应恰好与发送请求的页面相同,则不会使应用程序更安全,也不会受到任何类型的HTTP攻击。