对 HTTPS 地址的 XMLHTTP POST 请求是否使用任何加密?
Does a XMLHTTP POST request to an HTTPS address use any encryption?
如果我们使用javascript的http请求函数:
var request = new XMLHttpRequest();
到 https 地址,这会使用任何类型的加密还是 MITM 能够看到我们发送的所有数据?
示例:
function createAuthToken(baseRestURL, callback) {
var APIPath = "account/api/session";
var CORSPath = "https://cors-anywhere.herokuapp.com/";
var completeRestURL = CORSPath + baseRestURL + APIPath;
console.log("REST API URL: " + completeRestURL);
var method = "POST";
var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
var async = true;
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == 4 && (request.status == 200 || request.status == 201)) {
console.log("ONLOAD");
var status = request.status; // HTTP response status, e.g., 200 for "200 OK"
console.log(status);
var response = JSON.parse(request.responseText);
console.log(response.session_token);
return callback(response.session_token);
}
}
request.open(method, completRestURL, async);
request.setRequestHeader("Content-Type", "application/json");
request.setRequestHeader("Accept", "application/json");
request.send(postData);
跟进问题:如果没有,有没有一种方法可以在我们的客户端 javascript 中包含安全的加密?我的想法是在将请求发送到服务器之前使用网站的 public 密钥对请求进行加密,但我找不到任何其他尝试客户端加密的人。
粗略示例:
var CryptoJS = require("crypto-js");
var WhosebugKey = "30 82 01 0a 02 82 01..."
var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
var encryptedPostData = cryptoJS.hmacSHA256(postData, WhosebugKey)
//let's skip the callback and request headers as they are the same as above
var request = new XMLHttpRequest();
request.open();
request.send(encryptedPostData);
我没有学习计算机科学,在网上找不到任何关于这方面的信息。普遍接受的做法是什么?
XMLHttpRequest 中的 HTTP 和 XML 部分一样,只是一个遗留的命名方案。由于所使用的请求可以包含的不仅仅是 http 协议 url,并且接收的不仅仅是 XML 响应主体。
例如,最初的 W3C 工作草案通过以下方式介绍了 XMLHttpRequest 对象:
https://www.w3.org/TR/2006/WD-XMLHttpRequest-20060927/#introduction
The name of the object is XMLHttpRequest for compatibility with the web
as it doesn't make much sense otherwise. It supports the transport of
other data formats in addition to XML, some implementations support
other protocols besides HTTP (that functionality is not covered in
this specification though) and the API supports sending data as well.
请注意 "some implementations",因为这是 2006 年的工作草案,所以并不是每个人都使用相同的实现。
XMLHttpRequest 的当前 whatwg 规范对名称有如下说法:
https://xhr.spec.whatwg.org/#introduction
The name XMLHttpRequest is historical and has no bearing on its
functionality.
因此,只要所使用的浏览器根据规范实现 XMLHttpRequest,request/response 就会被浏览器正常对待,即针对 https 进行加密。
如果我们使用javascript的http请求函数:
var request = new XMLHttpRequest();
到 https 地址,这会使用任何类型的加密还是 MITM 能够看到我们发送的所有数据?
示例:
function createAuthToken(baseRestURL, callback) {
var APIPath = "account/api/session";
var CORSPath = "https://cors-anywhere.herokuapp.com/";
var completeRestURL = CORSPath + baseRestURL + APIPath;
console.log("REST API URL: " + completeRestURL);
var method = "POST";
var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
var async = true;
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == 4 && (request.status == 200 || request.status == 201)) {
console.log("ONLOAD");
var status = request.status; // HTTP response status, e.g., 200 for "200 OK"
console.log(status);
var response = JSON.parse(request.responseText);
console.log(response.session_token);
return callback(response.session_token);
}
}
request.open(method, completRestURL, async);
request.setRequestHeader("Content-Type", "application/json");
request.setRequestHeader("Accept", "application/json");
request.send(postData);
跟进问题:如果没有,有没有一种方法可以在我们的客户端 javascript 中包含安全的加密?我的想法是在将请求发送到服务器之前使用网站的 public 密钥对请求进行加密,但我找不到任何其他尝试客户端加密的人。
粗略示例:
var CryptoJS = require("crypto-js");
var WhosebugKey = "30 82 01 0a 02 82 01..."
var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
var encryptedPostData = cryptoJS.hmacSHA256(postData, WhosebugKey)
//let's skip the callback and request headers as they are the same as above
var request = new XMLHttpRequest();
request.open();
request.send(encryptedPostData);
我没有学习计算机科学,在网上找不到任何关于这方面的信息。普遍接受的做法是什么?
XMLHttpRequest 中的 HTTP 和 XML 部分一样,只是一个遗留的命名方案。由于所使用的请求可以包含的不仅仅是 http 协议 url,并且接收的不仅仅是 XML 响应主体。
例如,最初的 W3C 工作草案通过以下方式介绍了 XMLHttpRequest 对象:
https://www.w3.org/TR/2006/WD-XMLHttpRequest-20060927/#introduction
The name of the object is XMLHttpRequest for compatibility with the web as it doesn't make much sense otherwise. It supports the transport of other data formats in addition to XML, some implementations support other protocols besides HTTP (that functionality is not covered in this specification though) and the API supports sending data as well.
请注意 "some implementations",因为这是 2006 年的工作草案,所以并不是每个人都使用相同的实现。
XMLHttpRequest 的当前 whatwg 规范对名称有如下说法:
https://xhr.spec.whatwg.org/#introduction
The name XMLHttpRequest is historical and has no bearing on its functionality.
因此,只要所使用的浏览器根据规范实现 XMLHttpRequest,request/response 就会被浏览器正常对待,即针对 https 进行加密。