如何获取 javascript 小部件的嵌入页面的 url [英] How to get url of embedding page for a javascript widget

问题描述

(重新措辞，因为其他方面的观点很少).

(Rewording the question as there were very few views otherwise).

我想构建一个小部件，其他人可以将其包含在他们的网站上，而小部件本身将托管在我的网站上.我知道只有一种方法可以构建可以嵌入其他网站的小部件:想要嵌入小部件的网站从我的网站获取 javascript，它在页面上执行document.write".类似的东西:

I want to build a widget that others can include on their website, and the widget itself will be hosted on my website. I am aware of just one method to build widgets that can be embedded on other websites: The website that wants to embedd the widget sources a javascript from my site, which does "document.write" on the page. Something like:

<script language="javascript" src="http://www.my-website-that-will-host-the-widget.com/javascript-emitter.php?id=1234&width=200&bordercolor=000000&bg=ffffff&textcolor=000000"></script> 

现在，我想让一个特定的小部件只能从特定的域访问.为此，我想知道可靠地嵌入我的小部件的页面的 URL.没有人应该能够欺骗它.例如，如果我在嵌入代码中有一个显式变量，人们可以更改它.

Now, I want to make a particular widget accessible from only particular domains. For this, I want to know the URL of the page that is embedding my widget reliably . No-one should be able to spoof it. For example, if I have an explicit variable in the embedding code, people can change it.

我该怎么做?(我还希望为嵌入我的小部件的人编写最少的代码).

How do I do it? (I also want that there minimal code to write for the person who is embedding my widget).

问候，

日本

解释 1:

假设我想这样做:如果从 1.com 访问小部件，则显示 A，否则显示 B.我如何可靠地做到这一点.事实是，除非从 1.com 访问小部件，否则A"不应在代码中可见.(因此，如果嵌入在2.com中，我不想输出if(location.href == 1.com) write(A) else write (B)

Lets say I want to do this: If widget is accessed from 1.com, display A, else display B. How do I do it reliably. Thing is, "A" is something that should not be visible in the code unless the widget is accessed from 1.com. (Thus, if it is embedded in 2.com, I don't want to output if(location.href == 1.com) write(A) else write (B)

注 1:

(顺便说一句，如果有人觉得我的方法不好/效率不好，并且可以建议更好的方法/教程等，那会很有帮助.大多数谷歌查询都会为您提供解释如何构建/获取小部件的网站您的网站"....通常指向允许您构建由它们托管的小部件的网站，我想了解如何构建可以由我网站上的其他网站嵌入的小部件)

(As an aside, if someone feels my method is not good/efficient and can suggest better methods/tutorials, etc., that would be great help. Most google queries give you sites that explain how to build/obtain widget for "your site".... and usually point to websites that allow you to build widgets hosted with them, I want to understand how to build widgets that can be embedded by other websites from my site)

推荐答案

在客户端的javascript中，可以使用location.href获取当前页面的url:

In javascript on the client-side, you can use location.href to get the url of the current page:

var url = location.href;

如果您根本不想为禁止域输出任何 javascript，在您的 php 中，您可以使用全局变量 $HTTP_REFERER 检查 HTTP_REFERER 标头.在你的 javascript-emitter.php 脚本中试试这个:

If you do not want to output any javascript at all for a forbidden domain, in your php you can check the HTTP_REFERER header with the global variable $HTTP_REFERER. In your javascript-emitter.php script try this:

<?php 
echo $HTTP_REFERER; 
?> 

但是请注意，这并不总是值得信任的:由客户端(浏览器)发送正确的 REFERER 标头.当然，如果有人真的想在他们的网站上包含您的小部件，他们可以轻松地请求您的 javascript 服务器端欺骗 REFERER 标头 - 将其设置为您白名单上的内容 - 在将其转发给客户端之前.

However be warned that this is not always to be trusted: it is up to the client (the browser) to send the correct REFERER header. And of course if someone really wanted to include your widget on their site, they could easily request your javascript server-side spoofing the REFERER header - that is set it to something that's on your whitelist - before forwarding it to the client.

简而言之，您无法轻松且绝对地阻止列入黑名单的网站使用您的小部件.

In short there's no way you can easily and absolutely block blacklisted sites from using your widget.

这篇关于如何获取 javascript 小部件的嵌入页面的 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！