javascript攻击
I recently found out about TrackJS, a monitoring service for your site's JavaScript. It's incredible. I get detailed information about each error, including the file it occurred in, the URL, the browser, and more -- I love it! The following is a post authored by TrackJS' founder. Enjoy!
我最近发现了TrackJS ,它是您网站JavaScript的监视服务。 太不可思议了 我会获得有关每个错误的详细信息,包括错误所在的文件,URL,浏览器等等-我喜欢它! 以下是TrackJS创始人撰写的帖子。 请享用!
"The Web is the most hostile software engineering environment imaginable."
“ Web是可想象的最不利的软件工程环境。”
— Douglas Crockford
—道格拉斯·克罗克福德
We run web applications in a hostile environment. With each page-view, our JavaScript is deployed over an unpredictable network into a browser that we do not control. It's scary, but we've broken down five JavaScript errors that impact JavaScript apps today, usually without the developers even knowing about the problem.
我们在恶劣的环境中运行Web应用程序。 每次页面浏览时,我们JavaScript都会通过不可预测的网络部署到我们无法控制的浏览器中。 这很可怕,但是我们已经分解了五个影响当今JavaScript应用程序JavaScript错误,通常开发人员甚至都不知道这个问题。
(1. Asset Loading Failures)
Most web applications load a few JavaScript assets: a framework from a CDN, some third-party plugins, and one or more custom script files. What would happen if some or all of them failed to load?
大多数Web应用程序都加载一些JavaScript资产:来自CDN的框架,一些第三方插件以及一个或多个自定义脚本文件。 如果其中一些或全部无法加载,会发生什么?
This isn't a hypothetical question. Statistics from TrackJS show that on average 1 in 500 page-views is impacted by a load failure. This can happen for many reasons: poor network connections, server blips, provider changes, and DDoS attacks.
这不是一个假设的问题。 TrackJS的统计数据表明,平均每500页浏览量中有1个受加载失败的影响。 发生这种情况的原因可能很多:网络连接不良,服务器异常,提供商更改以及DDoS攻击。
In a way, complete failure is an easier case to deal with. If none of the JavaScript loads, your Single-Page Application will simply show an empty or "No JavaScript" UI. But it can be far more dangerous if only one script fails to load.
从某种意义上说,完全失败是更容易处理的情况。 如果没有JavaScript加载,则单页应用程序将仅显示一个空白或“无JavaScript” UI。 但是,如果仅加载一个脚本,可能会更加危险。
For example, failure to load a payment processor library could expose transactional details and personal information. Failure to load a social, advertising, or content network could prevent part of the UI from rendering.
例如,无法加载付款处理程序库可能会暴露交易详细信息和个人信息。 无法加载社交网络,广告网络或内容网络可能会阻止部分UI呈现。
(2. Async Race Conditions)
Lots of JavaScript involves setting up and responding to asynchronous events, such as user actions or network transmissions. When multiple async actions need to come together to produce a result, you have the makings for a race condition. Consider this simple example:
许多JavaScript涉及设置和响应异步事件,例如用户操作或网络传输。 当需要多个异步动作来产生结果时,您就有了竞争条件的条件。 考虑以下简单示例:
var obj = {};
$.post("/api/thing1", {}, function (resp) {
obj.thing1 = resp;
});
$.post("/api/thing2", {}, function (resp) {
obj.thing2 = resp;
obj.result = obj.thing1 + obj.thing2;
});
There are two AJAX requests started. When the second completes, the two responses are combined for a result. This works fine when "/api/thing1" finishes before "/api/thing2", which may be true on your local environment. But introduce a real network and the orders can reverse.
启动了两个AJAX请求。 当第二秒完成时,将两个响应合并为一个结果。 当“ / api / thing1”在“ / api / thing2”之前完成时,这可以很好地工作,这在您的本地环境中可能是正确的。 但是引入一个真实的网络,订单可能会逆转。
(3. Vendor Library Changes)
Many sites take advantage of third-party libraries: payment processors, analytics, advertisers, or social networks. Each of these provide valuable services that make it easier for all of us to build something awesome.
许多站点都利用了第三方库:支付处理器,分析,广告商或社交网络。 这些工具中的每一个都提供了有价值的服务,使我们所有人都可以更轻松地构建很棒的东西。
But we must recognize that we're introduce a dependency and a risk with these libraries. Vendors can change their API or their performance without warning.
但是我们必须认识到,我们在这些库中引入了依赖性和风险。 供应商可以更改其API或性能,而不会发出警告。
(4. Browser Runtime Changes)
The browsers themselves are changing on us. Every day, they fix bugs and push new capabilities. But sometimes we expect those bugs, or sometimes new bugs are introduced.
浏览器本身正在改变我们。 每天,他们修复错误并推出新功能。 但是有时我们希望这些错误,或者有时会引入新的错误。
Last October, Apple shipped a version of WebKit into iOS that made subtle changes to the DOM and caused bugs in Ember, Angular, and Polymer core.
去年10月,Apple 向iOS发行了一个版本的WebKit , 该版本对DOM进行了细微更改,并导致Ember,Angular和Polymer核心出现错误。
In a few weeks, Microsoft Edge will launch. It will inevitably include changes to the JavaScript runtime, the DOM, and CSS interpretation. We'll have to retest our apps to make sure they all work great in it.
几周后,Microsoft Edge将启动。 它将不可避免地包括对JavaScript运行时,DOM和CSS解释的更改。 我们必须重新测试我们的应用程序,以确保它们在其中都能正常运行。
(5. Invasive Browser Plugins)
Many browsers have an ecosystem of plugins that users can install to extend and enhance the pages they visit. Unfortunately, these plugins can stick their fingers into the DOM and sometimes mess with the flow of your app. It only takes one important user to make this a big problem:
许多浏览器都有插件生态系统,用户可以安装插件来扩展和增强访问的页面。 不幸的是,这些插件会使他们的手指伸入DOM中,有时会使您的应用程序流程混乱。 只需要一个重要的用户就可以解决这个大问题:
"…the boss found a bug, but it only happens on his wife's computer. This has to be fixed before launch!"
“……老板发现了一个错误,但这只在他妻子的计算机上发生。必须在发射前修复!”
—Anonymous Client Interaction
-匿名客户互动
Search toolbar plugins are really common malware, and they frequently mess with form inputs. They can also change performance characteristics, override APIs, and mask events.
搜索工具栏插件确实是常见的恶意软件,并且经常将表单输入弄乱。 他们还可以更改性能特征,覆盖API和屏蔽事件。
(Monitoring and Prevention)
Running web applications is hard. Because the platform is constantly shifting, we are never "done". We must constantly monitor and re-test our applications to work with current users, the networks they access through, and the browsers and plugins that run our app.
运行Web应用程序很困难。 因为平台在不断变化,所以我们永远不会“完成”。 我们必须不断监视和重新测试我们的应用程序,以与当前用户,他们通过其访问的网络以及运行我们应用程序的浏览器和插件一起使用。
Once you've launched, you should monitor your web applications with TrackJS. TrackJS monitors real users on your site and tells you when they have a problem. TrackJS records all your production JavaScript errors, and includes deep context about what the user, the network, and your application were doing leading up to the failure. TrackJS doesn't just count your errors, it gives you the context to fix them.
启动后,应使用TrackJS监视Web应用程序。 TrackJS监视您网站上的真实用户,并在出现问题时告诉您。 TrackJS会记录您所有的生产JavaScript错误,并包含有关导致用户失败的用户,网络和应用程序正在执行的操作的深层上下文。 TrackJS不仅会计算您的错误,还会为您提供修复错误的环境。
TrackJS is an incredible tool for monitoring your site's JavaScript reliability. Every day I receive an email listing the error rate and the top errors for my site. After logging into my TrackJS account, I can see detail about each error, including browser and browser versions, pages the error occurred on, and more. There isn't a better tool out there!
TrackJS是用于监视站点JavaScript可靠性的不可思议的工具。 每天我都会收到一封电子邮件,列出我的网站的错误率和最常见的错误。 登录到TrackJS帐户后,我可以看到有关每个错误的详细信息,包括浏览器和浏览器版本,发生错误的页面等。 那里没有更好的工具!
— David Walsh
—大卫·沃尔什(David Walsh)
Grab a free 30 day trial today from TrackJS and let's start finding and fixing bugs for your users.
立即从TrackJS获得30天的免费试用版 ,让我们开始为您的用户查找和修复错误。
翻译自: https://davidwalsh.name/javascript-errors-attack-warning
javascript攻击