在JavaScript中隐藏/欺骗引用者的最可靠方法是什么？ [英] What is the most reliable way to hide / spoof the referrer in JavaScript?

问题描述

通常，引荐来源可通过以下方式追踪：

Normally, the referrer is traceable through:

• JavaScript的 document.referrer


• 请求标头，例如PHP的 $ _ SERVER ['HTTP_REFERER']

• JavaScript's document.referrer
• The request headers, e.g. PHP's $_SERVER['HTTP_REFERER']

我已经设置了 键盘演示 ，显示这些属性，用于测试目的。

I have set up a Codepad demo which shows these properties, for testing purposes.

1. 原始推荐人应该被有效隐藏，至少对所有人来说都是如此鼠标事件。


2. 跨浏览器支持（至少Chrome和Firefox）。
   


3. 独立，没有任何外部内容（插件，库，重定向页面......）。


4. 没有副作用：链接应该不重写，历史条目应该保留。

1. The original referrer should effectively be hidden, at least for all mouse events.
2. Cross-browser support (at least Chrome and Firefox).
   
3. Stand-alone, without any external content (plugins, libraries, redirection pages, ...).
4. No side-effects: Links should not be rewritten, history entries should be preserved.

该解决方案将用于在关注< a链接时隐藏引荐来源href =url> 。

The solution will be used to hide the referrer when following a link of <a href="url">.

如此问题在Webapps上，Google搜索链接会在点击时修改。因此，

As described in this question on Webapps, links at Google Search are modified on click. Consequently,

1. Google可以跟踪您的搜索行为（隐私 - ）


2. 该页面请求稍有延迟。


3. 链接的网页无法跟踪您的Google搜索查询（隐私++）


4. 拖动/复制的网址看起来像 http://google.com/lotsoftrash?url=actualurl 。

1. Google is able to track your search behaviour (Privacy-- )
2. The page request is slightly delayed.
3. The linked page cannot track your Google search query (Privacy++ )
4. Dragged/Copied URLs look like http://google.com/lotsoftrash?url=actualurl.

<我正在开发用户脚本（Firefox）/内容脚本（Chrome） ^（代码），删除了Google的链接残缺事件。结果，处理了第1,2和4点。

I'm developing a Userscript (Firefox) / Content script (Chrome) ^(code), which removes Google's link-mutilating event. As a result, points 1, 2 and 4 are dealt with.

第3点仍然存在。

• Chrome： < a rel =noreferrer>


• Firefox： data-URIs 。我已经创建了一种复杂的方法来实现左键和中键点击功能，同时仍然强制执行第4点。但是，我正在努力使用右键单击方法。

• Chrome: <a rel="noreferrer">
• Firefox: data-URIs. I have created a sophisticated approach to implement this feature for left- and middle-clicks, while still enforcing point 4. However, I'm struggling with the right-click method.

推荐答案

我找到了一个适用于Chrome和Firefox的解决方案。我在用户脚本中实现了代码， 不要跟踪我Google 。

I have found a solution which works in Chrome and Firefox. I've implemented the code in a Userscript, Don't track me Google.

演示（在Firefox 9和Chrome 17中测试）： http://jsfiddle.net/RxHw5/

Demo (tested in Firefox 9 and Chrome 17): http://jsfiddle.net/RxHw5/

基于Webkit的浏览器（如Chrome，Safari）支持 < a rel =noreferrer> <sup>spec 。

通过将此方法与两个事件侦听器结合使用，可以完全实现引用隐藏：</sup>

Webkit-based browsers (such as Chrome, Safari) support <a rel="noreferrer">^spec.
Referrer hiding can fully be implemented by combining this method with two event listeners:

• mousedown - 点击，中间陈词滥调k，右键单击contextmenu，...


• keydown （ Tab 标签 标签 ... 输入）。

• mousedown - On click, middle-click, right-click contextmenu, ...
• keydown (Tab Tab Tab ... Enter).

代码：

function hideRefer(e) {
   var a = e.target;
   // The following line is used to deal with nested elements,
   //  such as: <a href="."> Stack <em>Overflow</em> </a>.
   if (a && a.tagName !== 'A') a = a.parentNode;
   if (a && a.tagName === 'A') {
      a.rel = 'noreferrer';
   }
}
window.addEventListener('mousedown', hideRefer, true);
window.addEventListener('keydown', hideRefer, true);

* rel = noreferrer 自33以来，但支持仅限于页内链接。当用户通过上下文菜单打开选项卡时，仍会发送引荐来源。此错误已在Firefox 37 ^{[错误1031264 ]中修复}。

* rel=noreferrer is supported in Firefox since 33, but support was limited to in-page links. Referrers were still sent when the user opened the tab via the context menu. This bug was fixed in Firefox 37 ^{[bug 1031264]}.

Firefox不支持 rel =noreferrer直到版本33 ^{[ bug 530396 ]} （或37，如果你想隐藏上下文菜单的推荐者）。

Firefox did not support rel="noreferrer" until version 33 `^{[bug 530396]} (or 37, if you wish to hide the referrer for context menus as well).

数据URI + < meta http-equiv = refresh> 可用于隐藏Firefox（和IE）中的引荐来源。实现此功能更复杂，但也需要两个事件：

A data-URI + <meta http-equiv=refresh> can be used to hide the referrer in Firefox (and IE). Implementing this feature is more complicated, but also requires two events:

• 点击 - 点击，中键点击，输入
  


• contextmenu - 右键单击​​， Tab Tab ... Contextmenu

• click - On click, on middle-click, Enter
  
• contextmenu - On right-click, Tab Tab ... Contextmenu

在Firefox中，为每个 mouseup click 事件c> 和在链接（或表单控件）上按 Enter 。 contextmenu 事件是必需的，因为 click 事件在这种情况下触发得太晚。

In Firefox, the click event is fired for each mouseup and hitting Enter on a link (or form control). The contextmenu event is required, because the click event fires too late for this case.

基于数据URI和瞬间超时：

当触发点击事件时， href 属性暂时替换为data-URI。事件结束，并发生默认行为：打开data-URI，取决于 target 属性和SHIFT / CTRL修饰符。

同时， href 属性将恢复到其原始状态。

Based on data-URIs and split-second time-outs:
When the click event is triggered, the href attribute is temporarily replaced with a data-URI. The event finished, and the default behaviour occurs: Opening the data-URI, dependent on the target attribute and SHIFT/CTRL modifiers.
Meanwhile, the href attribute is restored to its original state.

当 contextmenu 事件被触发，链接也会瞬间改变。

When the contextmenu event is triggered, the link also changes for a split second.

• 打开链接。 .. 选项将打开data-URI。


• 复制链接位置选项指的是已恢复原始URI。


• <书签选项是指数据URI。


• ☹将链接另存为指向数据URI。

• The Open Link in ... options will open the data-URI.
• The Copy Link location option refers to the restored, original URI.
• ☹ The Bookmark option refers to the data-URI.
• ☹ Save Link as points to the data-URI.

代码：

// Create a data-URI, redirection by <meta http-equiv=refresh content="0;url=..">
function doNotTrack(url) {
   // As short as possible. " can potentially break the <meta content> attribute,
   // # breaks the data-URI. So, escape both characters.
   var url = url.replace(/"/g,'%22').replace(/#/g,'%23');
   // In case the server does not respond, or if one wants to bookmark the page,
   //  also include an anchor. Strictly, only <meta ... > is needed.
   url = '<title>Redirect</title>'
       + '<a href="' +url+ '" style="color:blue">' +url+ '</a>'
       + '<meta http-equiv=refresh content="0;url=' +url+ '">';
   return 'data:text/html,' + url;
}
function hideRefer(e) {
   var a = e.target;
   if (a && a.tagName !== 'A') a = a.parentNode;
   if (a && a.tagName === 'A') {
      if (e.type == 'contextmenu' || e.button < 2) {
         var realHref = a.href; // Remember original URI
         // Replaces href attribute with data-URI
         a.href = doNotTrack(a.href);
         // Restore the URI, as soon as possible
         setTimeout(function() {a.href = realHref;}, 4);
      }
   }
}
document.addEventListener('click', hideRefer, true);
document.addEventListener('contextmenu', hideRefer, true);

结合两种方法

不幸的是，那里没有直接的方法来功能检测此功能（更不用说帐户的错误）。因此，您可以根据 navigator.userAgent （即UA-sniffing）选择相关代码，或者使用我如何检测rel =" noreferrer"支持？。

Combining both methods

Unfortunately, there is no straightforward way to feature-detect this feature (let alone account for bugs). So you can either select the relevant code based on navigator.userAgent (i.e. UA-sniffing), or use one of the convoluted detection methods from How can I detect rel="noreferrer" support?.

这篇关于在JavaScript中隐藏/欺骗引用者的最可靠方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！