translate: security.jade, new reworded part.

This commit is contained in:
Zhimin YE 2016-11-04 12:01:01 +00:00
parent f42cc68544
commit e4c327c2d1
1 changed files with 40 additions and 6 deletions

View File

@ -348,48 +348,80 @@ h3#xsrf 跨站请求伪造XSRF
a different web page (e.g. `evil.com`) with malignant code that secretly sends a malicious request a different web page (e.g. `evil.com`) with malignant code that secretly sends a malicious request
to your application's web server (e.g. `example-bank.com`). to your application's web server (e.g. `example-bank.com`).
在跨站请求伪造XSRF或CSFR攻击者欺骗用户让他们访问一个假冒页面(例如`evil.com`)
该页面带有恶意代码,秘密的向你的应用程序服务器发送恶意请求(e.g. `example-bank.com`)。
Assume the user is logged into the application at `example-bank.com`. Assume the user is logged into the application at `example-bank.com`.
The user opens an email and clicks a link to `evil.com` which opens in a new tab. The user opens an email and clicks a link to `evil.com` which opens in a new tab.
假设用户已经在`example-bank.com`登录。用户打开一个邮件,点击里面的链接,在新页面中打开`evil.com`。
The `evil.com` page immediately sends a malicious request to `example-bank.com`. The `evil.com` page immediately sends a malicious request to `example-bank.com`.
Perhaps it's a request to transfer money from the user's account to the attacker's account. Perhaps it's a request to transfer money from the user's account to the attacker's account.
The browser automatically sends the `example-bank.com` cookies (including the authentication cookie) with this request. The browser automatically sends the `example-bank.com` cookies (including the authentication cookie) with this request.
该`evil.com`页面立刻发送恶意请求到`example-bank.com`。这个请求可能是从用户账户转账到攻击者的账户。
与该请求一起,浏览器自动发出`example-bank.com`的cookie。
The `example-bank.com` server, if it lacks XSRF protection, can't tell the difference between a legitimate request from the application The `example-bank.com` server, if it lacks XSRF protection, can't tell the difference between a legitimate request from the application
and the forged request from `evil.com`. and the forged request from `evil.com`.
如果`example-bank.com`服务器缺乏XSRF保护就无法辨识请求是从应用程序发来的合法请求还是从`evil.com`来的假请求。
To prevent this, the application must ensure that a user request originates from the real To prevent this, the application must ensure that a user request originates from the real
application, not from a different site. application, not from a different site.
The server and client must cooperate to thwart this attack. The server and client must cooperate to thwart this attack.
为了防止这种情况,你必须确保每个用户的请求都是从你自己的应用中发出的,而不是从另一个网站发出的。
客户端和服务器必须合作来抵挡这种攻击。
In a common anti-XSRF technique, the application server sends a randomly In a common anti-XSRF technique, the application server sends a randomly
generated authentication token in a cookie. generated authentication token in a cookie.
The client code reads the cookie and adds a custom request header with the token in all subsequent requests. The client code reads the cookie and adds a custom request header with the token in all subsequent requests.
The server compares the received cookie value to the request header value and rejects the request if the values are missing or don't match. The server compares the received cookie value to the request header value and rejects the request if the values are missing or don't match.
常见的反XSRF技术是服务器随机生成一个用户认证令牌到cookie中。
客户端代码获取这个cookie并用它为接下来所有的请求添加自定义请求页头。
服务器比较收到的cookie值与请求页头的值如果它们不匹配便拒绝请求。
This technique is effective because all browsers implement the _same origin policy_. Only code from the website This technique is effective because all browsers implement the _same origin policy_. Only code from the website
on which cookies are set can read the cookies from that site and set custom headers on requests to that site. on which cookies are set can read the cookies from that site and set custom headers on requests to that site.
That means only your application can read this cookie token and set the custom header. The malicious code on `evil.com` can't. That means only your application can read this cookie token and set the custom header. The malicious code on `evil.com` can't.
这个技术之所以有效是因为所有浏览器都实现了_同源策略_。只有设置cookie的网站的代码可以访问该站的cookie并为该站的请求设置自定义页头。
这就是说只有你的应用程序可以获取这个cookie令牌和设置自定义页头。`evil.com`的恶意代码不能。
Angular's `http` has built-in support for the client-side half of this technique in its `XSRFStrategy`. Angular's `http` has built-in support for the client-side half of this technique in its `XSRFStrategy`.
The default `CookieXSRFStrategy` is turned on automatically. The default `CookieXSRFStrategy` is turned on automatically.
Before sending an HTTP request, the `CookieXSRFStrategy` looks for a cookie called `XSRF-TOKEN` and Before sending an HTTP request, the `CookieXSRFStrategy` looks for a cookie called `XSRF-TOKEN` and
sets a header named `X-XSRF-TOKEN` with the value of that cookie. sets a header named `X-XSRF-TOKEN` with the value of that cookie.
Angular的`http`客户端在其`XSRFStrategy`中具有对这项技术的内置支持。
默认的`CookieXSRFStrategy`会被自动开启
在发送每个请求之前,`CookieXSRFStrategy`查询名为`XSRF-TOKEN`的cookie并设置一个名为`X-XSRF-TOKEN`的HTTP请求头并把该cookie的值赋给它。
The server must do its part by setting the The server must do its part by setting the
initial `XSRF-TOKEN` cookie and confirming that each subsequent state-modifying request initial `XSRF-TOKEN` cookie and confirming that each subsequent state-modifying request
includes a matching `XSRF-TOKEN` cookie and `X-XSRF-TOKEN` header. includes a matching `XSRF-TOKEN` cookie and `X-XSRF-TOKEN` header.
服务器必须要完成自己的任务,设置初始`XSRF-TOKEN`cookie并确认接下来的每个请求包含了配对的`XSRF-TOKEN`cookie和`X-XSRF-TOKEN`页头。
XSRF/CSRF tokens should be unique per user and session, have a large random value generated by a XSRF/CSRF tokens should be unique per user and session, have a large random value generated by a
cryptographically secure random number generator, and should expire in a day or two. cryptographically secure random number generator, and should expire in a day or two.
CSRF令牌对每个用户和session应该是唯一的它包含一大串由安全的随机数字生成器生成的随机值并且在一两天之内过期。
Your server may use a different cookie or header name for this purpose. Your server may use a different cookie or header name for this purpose.
An Angular application can customize cookie and header names by providing its own `CookieXSRFStrategy` values. An Angular application can customize cookie and header names by providing its own `CookieXSRFStrategy` values.
你服务器可能使用不同的cookie或者页头名字。Angular应用可以通过自己的`CookieXSRFStrategy`值来自定义cookie和页头名字。
code-example(language="typescript"). code-example(language="typescript").
{ provide: XSRFStrategy, useValue: new CookieXSRFStrategy('myCookieName', 'My-Header-Name') } { provide: XSRFStrategy, useValue: new CookieXSRFStrategy('myCookieName', 'My-Header-Name') }
:marked :marked
Or you can implement and provide an entirely custom `XSRFStrategy`: Or you can implement and provide an entirely custom `XSRFStrategy`:
或者你可以实现和提供完整的自定义`XSRFStrategy`。
code-example(language="typescript"). code-example(language="typescript").
{ provide: XSRFStrategy, useClass: MyXSRFStrategy } { provide: XSRFStrategy, useClass: MyXSRFStrategy }
@ -400,14 +432,16 @@ code-example(language="typescript").
<a href="https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet" target="_blank">Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a>. <a href="https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet" target="_blank">Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet</a>.
The Stanford University paper The Stanford University paper
<a href="https://seclab.stanford.edu/websec/csrf/csrf.pdf" target="_blank">Robust Defenses for Cross-Site Request Forgery</a> is a rich source of detail. <a href="https://seclab.stanford.edu/websec/csrf/csrf.pdf" target="_blank">Robust Defenses for Cross-Site Request Forgery</a> is a rich source of detail.
See also Dave Smith's easy-to-understand
<a href="https://www.youtube.com/watch?v=9inczw6qtpY" target="_blank" title="Cross Site Request Funkery Securing Your Angular Apps From Evil Doers">talk on XSRF at AngularConnect 2016</a>.
到开放式Web应用程序安全项目(OWASP)的[这里](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) 到开放式Web应用程序安全项目(OWASP)的[这里](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
和[这里](https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet)学习更多关于跨站请求伪造XSRF的知识。 和[这里](https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet)学习更多关于跨站请求伪造XSRF的知识。
这个[斯坦福大学论文](https://seclab.stanford.edu/websec/csrf/csrf.pdf)有详尽的细节。 这个[斯坦福大学论文](https://seclab.stanford.edu/websec/csrf/csrf.pdf)有详尽的细节。
See also Dave Smith's easy-to-understand
<a href="https://www.youtube.com/watch?v=9inczw6qtpY" target="_blank" title="Cross Site Request Funkery Securing Your Angular Apps From Evil Doers">talk on XSRF at AngularConnect 2016</a>.
参见Dave Smith在<a href="https://www.youtube.com/watch?v=9inczw6qtpY" target="_blank" title="Cross Site Request Funkery Securing Your Angular Apps From Evil Doers">AngularConnect 2016关于XSRF的演讲</a>。
h3#xssi Cross-site script inclusion (XSSI) h3#xssi Cross-site script inclusion (XSSI)
h3#xssi 跨站脚本包含(XSSI) h3#xssi 跨站脚本包含(XSSI)