在JavaScript中隐藏/欺骗引用者的最可靠方法是什么? [英] What is the most reliable way to hide / spoof the referrer in JavaScript?
问题描述
通常,引荐来源可通过以下方式追踪:
Normally, the referrer is traceable through:
- JavaScript的
document.referrer
- 请求标头,例如PHP的
$ _ SERVER ['HTTP_REFERER']
- JavaScript's
document.referrer
- The request headers, e.g. PHP's
$_SERVER['HTTP_REFERER']
我已经设置了 键盘演示 ,显示这些属性,用于测试目的。
I have set up a Codepad demo which shows these properties, for testing purposes.
- 原始推荐人应该被有效隐藏,至少对所有人来说都是如此鼠标事件。
- 跨浏览器支持(至少Chrome和Firefox)。
- 独立,没有任何外部内容(插件,库,重定向页面......)。
- 没有副作用:链接应该不重写,历史条目应该保留。
- The original referrer should effectively be hidden, at least for all mouse events.
- Cross-browser support (at least Chrome and Firefox).
- Stand-alone, without any external content (plugins, libraries, redirection pages, ...).
- No side-effects: Links should not be rewritten, history entries should be preserved.
该解决方案将用于在关注< a链接时隐藏引荐来源href =url>
。
The solution will be used to hide the referrer when following a link of <a href="url">
.
如此问题在Webapps上,Google搜索链接会在点击时修改。因此,
As described in this question on Webapps, links at Google Search are modified on click. Consequently,
- Google可以跟踪您的搜索行为(隐私 - )
- 该页面请求稍有延迟。
- 链接的网页无法跟踪您的Google搜索查询(隐私++)
- 拖动/复制的网址看起来像
http://google.com/lotsoftrash?url=actualurl
。
- Google is able to track your search behaviour (Privacy-- )
- The page request is slightly delayed.
- The linked page cannot track your Google search query (Privacy++ )
- Dragged/Copied URLs look like
http://google.com/lotsoftrash?url=actualurl
.
<我正在开发用户脚本(Firefox)/内容脚本(Chrome) (代码),删除了Google的链接残缺事件。结果,处理了第1,2和4点。
I'm developing a Userscript (Firefox) / Content script (Chrome) (code), which removes Google's link-mutilating event. As a result, points 1, 2 and 4 are dealt with.
第3点仍然存在。
- Chrome:
< a rel =noreferrer>
- Firefox:
data-URIs
。我已经创建了一种复杂的方法来实现左键和中键点击功能,同时仍然强制执行第4点。但是,我正在努力使用右键单击方法。
- Chrome:
<a rel="noreferrer">
- Firefox:
data-URIs
. I have created a sophisticated approach to implement this feature for left- and middle-clicks, while still enforcing point 4. However, I'm struggling with the right-click method.
推荐答案
我找到了一个适用于Chrome和Firefox的解决方案。我在用户脚本中实现了代码, 不要跟踪我Google 。
I have found a solution which works in Chrome and Firefox. I've implemented the code in a Userscript, Don't track me Google.
演示(在Firefox 9和Chrome 17中测试): http://jsfiddle.net/RxHw5/
Demo (tested in Firefox 9 and Chrome 17): http://jsfiddle.net/RxHw5/
基于Webkit的浏览器(如Chrome,Safari)支持 < a rel =noreferrer>
spec 。
通过将此方法与两个事件侦听器结合使用,可以完全实现引用隐藏:
Webkit-based browsers (such as Chrome, Safari) support <a rel="noreferrer">
spec.
Referrer hiding can fully be implemented by combining this method with two event listeners:
-
mousedown
- 点击,中间陈词滥调k,右键单击contextmenu,... -
keydown
( Tab 标签 标签 ... 输入)。
mousedown
- On click, middle-click, right-click contextmenu, ...keydown
(Tab Tab Tab ... Enter).
代码:
function hideRefer(e) {
var a = e.target;
// The following line is used to deal with nested elements,
// such as: <a href="."> Stack <em>Overflow</em> </a>.
if (a && a.tagName !== 'A') a = a.parentNode;
if (a && a.tagName === 'A') {
a.rel = 'noreferrer';
}
}
window.addEventListener('mousedown', hideRefer, true);
window.addEventListener('keydown', hideRefer, true);
* rel = noreferrer
自33以来,但支持仅限于页内链接。当用户通过上下文菜单打开选项卡时,仍会发送引荐来源。此错误已在Firefox 37 [错误1031264 ]中修复。
* rel=noreferrer
is supported in Firefox since 33, but support was limited to in-page links. Referrers were still sent when the user opened the tab via the context menu. This bug was fixed in Firefox 37 [bug 1031264].
Firefox不支持 rel =noreferrer
直到版本33 [ bug 530396 ] (或37,如果你想隐藏上下文菜单的推荐者)。
Firefox did not support rel="noreferrer"
until version 33 `[bug 530396] (or 37, if you wish to hide the referrer for context menus as well).
数据URI + < meta http-equiv = refresh>
可用于隐藏Firefox(和IE)中的引荐来源。实现此功能更复杂,但也需要两个事件:
A data-URI + <meta http-equiv=refresh>
can be used to hide the referrer in Firefox (and IE). Implementing this feature is more complicated, but also requires two events:
-
点击
- 点击,中键点击,输入
-
contextmenu
- 右键单击, Tab Tab ... Contextmenu
click
- On click, on middle-click, Entercontextmenu
- On right-click, Tab Tab ... Contextmenu
在Firefox中,为每个 mouseup $ c $触发
click
事件c> 和在链接(或表单控件)上按 Enter 。 contextmenu
事件是必需的,因为 click
事件在这种情况下触发得太晚。
In Firefox, the click
event is fired for each mouseup
and hitting Enter on a link (or form control). The contextmenu
event is required, because the click
event fires too late for this case.
基于数据URI和瞬间超时:
当触发点击
事件时, href
属性暂时替换为data-URI。事件结束,并发生默认行为:打开data-URI,取决于 target
属性和SHIFT / CTRL修饰符。
同时, href
属性将恢复到其原始状态。
Based on data-URIs and split-second time-outs:
When the click
event is triggered, the href
attribute is temporarily replaced with a data-URI. The event finished, and the default behaviour occurs: Opening the data-URI, dependent on the target
attribute and SHIFT/CTRL modifiers.
Meanwhile, the href
attribute is restored to its original state.
当 contextmenu $时c $ c>事件被触发,链接也会瞬间改变。
When the contextmenu
event is triggered, the link also changes for a split second.
-
打开链接。 ..
选项将打开data-URI。 -
复制链接位置
选项指的是已恢复原始URI。 - <
书签
选项是指数据URI。 - ☹
将链接另存为
指向数据URI。
- The
Open Link in ...
options will open the data-URI. - The
Copy Link location
option refers to the restored, original URI. - ☹ The
Bookmark
option refers to the data-URI. - ☹
Save Link as
points to the data-URI.
代码:
// Create a data-URI, redirection by <meta http-equiv=refresh content="0;url=..">
function doNotTrack(url) {
// As short as possible. " can potentially break the <meta content> attribute,
// # breaks the data-URI. So, escape both characters.
var url = url.replace(/"/g,'%22').replace(/#/g,'%23');
// In case the server does not respond, or if one wants to bookmark the page,
// also include an anchor. Strictly, only <meta ... > is needed.
url = '<title>Redirect</title>'
+ '<a href="' +url+ '" style="color:blue">' +url+ '</a>'
+ '<meta http-equiv=refresh content="0;url=' +url+ '">';
return 'data:text/html,' + url;
}
function hideRefer(e) {
var a = e.target;
if (a && a.tagName !== 'A') a = a.parentNode;
if (a && a.tagName === 'A') {
if (e.type == 'contextmenu' || e.button < 2) {
var realHref = a.href; // Remember original URI
// Replaces href attribute with data-URI
a.href = doNotTrack(a.href);
// Restore the URI, as soon as possible
setTimeout(function() {a.href = realHref;}, 4);
}
}
}
document.addEventListener('click', hideRefer, true);
document.addEventListener('contextmenu', hideRefer, true);
结合两种方法
不幸的是,那里没有直接的方法来功能检测此功能(更不用说帐户的错误)。因此,您可以根据 navigator.userAgent
(即UA-sniffing)选择相关代码,或者使用我如何检测rel =" noreferrer"支持?。
Combining both methods
Unfortunately, there is no straightforward way to feature-detect this feature (let alone account for bugs). So you can either select the relevant code based on navigator.userAgent
(i.e. UA-sniffing), or use one of the convoluted detection methods from How can I detect rel="noreferrer" support?.
这篇关于在JavaScript中隐藏/欺骗引用者的最可靠方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!