保证谷歌浏览器扩展code [英] secure the code in google chrome extension
问题描述
我想写一个谷歌的Chrome扩展,这应该让我的网站发送请求并得到一些数据,所以,其实我应该做一个Ajax请求喜欢这里所写的 https://developer.chrome.com/extensions/xhr.html
I want to write a google chrome extension, that should make a request to my website to send and get some data, so, actually I should do an ajax request like it is written here https://developer.chrome.com/extensions/xhr.html
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
我想问问是否有办法以某种方式固定从code或prevent他人使用我的API,却因为其他用户可以看到扩展的源代码code,当他们安装所以用我的API,而我意识到这一点。
I wanted ask if there is a way to somehow secure the code or prevent others from using my api, because actually the other users can see the source code of the extension when they install it and so use my api without me being aware of it.
编辑:
如果我需要某种身份验证,比我如何可以验证使得AJAX调用之前的用户?验证我将需要请求发送到我的服务器,但我应该送,例如用户名和密码,应在扩展的文件,这些文件,其实可以由用户看到的地方进行保存,当他们安装扩展。
If I need to make some sort of authentication, than how can I authenticate the user before making the ajax call ? for authentication I will need to send a request to my server , but for that I should send , e.g. username and password, that should be saved somewhere in the extension's files, which, in fact, can be seen by the users, when they install the extension.
感谢
推荐答案
不要相信浏览器,采取措施来验证用户来代替。因此,在这种情况下,您可以要求您在使用与您的服务器进行通信的密码进入。
Don't trust the browser, take steps to authenticate the user instead. So, in this case, you could require that YOU enter in a password that is used to communicate with your server.
您谷歌将扩展需要简单的在尝试使用AJAX与服务器进行通信,然后在密码输入。
Your Google extension would simple require you to enter in a password before it attempts to use AJAX to communicate with your server.
请注意,您应该建立在保护自己免受暴力攻击的手段。所以,不喜欢的东西锁都记录下来,如果有比一些少数错密码,等了。
Be aware that you should build in means of protecting yourself from brute-force attacks. So, do things like lock everything down if there are more than some small number of wrong passwords, etc.
您也可以考虑使用口令简单地解密XHR的目的地,但如果你走这条路,你应该非常小心地保存这一点,因为这将是蛮力forceable下线。
You could also consider using the password to simply decrypt the destination of the XHR, but if you go this route, you should store this very carefully, because this will be brute-forceable offline.
修改
试图锁定一个API,因此只有一个应用程序可以使用它仅仅是不实际的,也不技术上是可行的,所以你只能这样做的希望是使用API,来验证用户,无论他使用的访问软件。你可以让用户签署法律限制他们只有你的扩展名的协议,但我怀疑这会很大程度上去不可执行,并会消耗你的时间跟踪滥用了。
EDIT Trying to lock down an API so that only a single application can use it is just not practical nor technically possible, so you're only hope of doing this is to authenticate the user using the API, regardless of the accessing software he is using. You could have the user sign an agreement that legally limits them to only your extension, but I suspect this will go largely unenforceable and will consume your time tracking abusers down.
如果你不希望未经授权的人员甚至不知道那里的API,你可以使用了带外的机制,执行认证:通过电话,电子邮件,短信,或者简单地说,另一个API将授予该用户请求您的API密码或令牌必须伴随着。
If you don't want unauthorized people even knowing where the API is, you could perform authentication using an out-of-band mechanism: over the telephone, email, SMS, or simply, another API that will grant the user a password or token that requests to your API must be accompanied with.
在出带外这个过程中,你也可以授予用户,独特的URI(API的接入点),即每一个认证会话才有效(的 https://api.totally-cool-extension.com/api/ijyeDvB5dYvSiWG97OLuTAoNWwbhuZ0/ ,例如)。您在其他服务器的URI的任何请求根本行不通。然而,这并不比使用相同的API访问点,并且具有良好的密码理论上太大的不同。它只是改变了你的架构,将要执行的认证和/或授权检查名额。
During this out-of-band process, you could also grant the user, a unique URI (the API access point) that is only valid per authenticated session (https://api.totally-cool-extension.com/api/ijyeDvB5dYvSiWG97OLuTAoNWwbhuZ0/, for example). Any requests to your server on OTHER URIs simply won't work. However, this isn't theoretically much different than using the same API access point, and having a good password. It just changes the number of places in your architecture that will be performing authentication and/or authorization checks.
<一边> 我的投票将授权/认证点的数量减少到尽可能少,这样你可以花更多的时间,让一个地方。正确的,而不是多个地方以及可能有多个逻辑缺陷或其他的东西,可能会导致安全漏洞< /一旁>
<aside>My vote would be to reduce the number of authorization/authentication points to as few as possible so that you can spend more time on getting that one place correct rather than having multiple places and possibly multiple logic flaws or other things that could lead to vulnerabilities.</aside>
您还可以探讨使用公共密钥基础设施和/或一次性密码方案或基于设备的令牌生成器等,但最终,你会被允许经过身份验证和授权的用户使用您的API。而且,由于互联网,这会不会仍是一个未公开的URI很长时间。
You could also explore using Public Key Infrastructure and/or one-time passwords schemes or device-based token generators, etc., but in the end, you'll be allowing authenticated and authorized users to use your API. And, thanks to the Internet, this will not remain an undisclosed URI for long.
和,更重要的是,它不会使用自己的数据prevent人。即使在地方所有这些措施,这将是平凡的,因为它正在传输到您的扩展授权用户来收集这些数据。或者,如果你采用点至点加密,他们可以屏幕报废,或者使用某种形式的JS反省对你很code,甚至提取数据,从他们的计算机的内存中。
And, more importantly, it will not prevent someone from using the data on their own. Even with all these measures in place, it would be trivial for an authorized user to collect this data as it is being streamed to your extension. Or, if you employ point-to-point encryption, they could screen-scrap or use some form of JS introspection on your very code or even extract the data from their computer's memory.
我知道你正在寻找的银弹这里,但它不存在。
I know you were looking for a silver bullet here, but it doesn't exist.
这篇关于保证谷歌浏览器扩展code的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
