拦截网络调用以强制 Html 标头引用为 null [英] Intercepting network calls to force Html header referer to null
问题描述
我一直在我的 AIR 2.7 项目中使用 FlexHTML"组件.它是 HtmlLoader 类的包装器.
I've been using the Flex "HTML" component in my AIR 2.7 project. It's a wrapper for the HtmlLoader class.
问题是 HTML 标头中的空引用自动设置为app://[appname].swf".这不是标准的,因为默认引用行为应该是根本不设置任何引用.结果是我在使用 iframe 的某些网站上被拒绝访问(因为 iframe 的位置更改设置了空引用).
The problem is that empty referers in HTML headers are automatically set to "app://[appname].swf". This is not standard as default referer behavior should be to not set any referer at all. The consequence is I'm getting denied access on certain websites using iframes (as location changes from an iframe set an empty referer).
我无法控制这些请求,在更改 iframe 的源时不会触发任何事件.
I have no control over those requests has no event is fired when changed the source of an iframe.
在发送消息之前,我已经考虑过拦截所有网络调用并在必要时将referer设置为空的可能性.我的应用程序只是一个容器,其中加载了一个模块以便于更新,所以也许我可以在顶部设置一个代理或类似的东西.
I have thought about the possibility of intercepting all network calls and setting the referer to empty when necessary before sending the message. My app is only a container in wich a module is loaded for easier updates so maybe I could set up a proxy on top or something like that.
有什么办法可以在Flex中拦截网络消息吗??
Is there any way to intercept network messages in Flex??
与 Adobe 员工交谈后,我在 Adobe Bug Base 中打开了一个关于此的错误:https://bugbase.adobe.com/index.cfm?event=bug&id=2945647
After some chat with Adobe employees, I opened a bug in Adobe Bug Base about this : https://bugbase.adobe.com/index.cfm?event=bug&id=2945647
从我的评论中提取的更多信息:
More infos extracted from my comments :
我尝试过(使用 Charles 代理)模拟特定站点的某些情况.当发送一个空白或有效的引用来加载一些 swf 文件时,它通过.但是,它拒绝访问无效(例如:app://).这证实了引荐来源问题.
I've tried (with Charles proxy) to emulate some cases for a particular site. When sent a blank or valid referer to load some swf file, it passes. However, it denies access on invalid (ex: app://) . That confirms the referrer problem.
没有关于什么是有效或无效的正式规范.我指的是我正在测试的网站所期望的内容.例如,cdn.nitrome.com/games/rubbletroubletokyo/rubbletroubletokyo.swf 有这样的推荐人检查,将返回拒绝访问".页面,如果该请求与它认为无效的引用一起发送,例如 app://foo.swf 甚至 http://www.google.com.如果没有发送引荐来源或使用应该调用 swf 文件的页面(在这种情况下为 http://www.nitrome.com/games/rubbletroubletokyo),它会发送正确的文件.
there's no formal specification as to what is valid or invalid. I'm referring to what the sites I'm testing on expect. For exemple, cdn.nitrome.com/games/rubbletroubletokyo/rubbletroubletokyo.swf has such a referrer check and will return an "Access Denied." page if the request has been sent with a referrer it considers invalid, such as app://foo.swf or even http://www.google.com. It sends the correct file if no referrer is sent OR with the page that should be calling the swf file (http://www.nitrome.com/games/rubbletroubletokyo in this case).
该应用适用于儿童,并包含一个网络浏览器.只允许获得授权的网站(父母或出版商),www.nitrome.com 将在发布时成为其中之一.当然,我必须确保发布时计划的所有内容都能正常工作!我已经成功地为nitome.com 创建了一个hack,但它真的很具体.我们将不得不为遇到问题的每个网站创建黑客攻击,这……好吧,既费时又难以维护
The app is for children and contains a web browser. Only authorized sites are allowed (either by the parents or the publisher) and www.nitrome.com will be one of them at launch. Off course, I have to make sure everything planned at launch will be working! I have succeeded in creating a hack for nitrome.com, but it's REALLY specific. We'll have to create hacks for every website we encounter problems on and that's.. well, time consuming and hard to maintain
推荐答案
由于没有办法干扰引用者,因此我们必须为每个遇到问题的网站实施特定的 hack(如果它是可破解的,当然).
As there are no ways of messing with the referrer, we had to implement specific hacks for each website we have problems with (if it's hackable, off course).
这是我为 www.nitrome.com 游戏所做的工作.
Here's what I have done for www.nitrome.com games.
游戏页面的工作原理如下:在 iframe 中加载 sfw 广告,当广告完成(或用户点击跳过)时,它会更改 iframe 内容,以便加载游戏 swf.
The game page works like this : load an sfw ad inside an iframe, when ad is complete (or user click on skip) it changes the iframe content so that it loads the game swf.
由于引用而失败,但我可以在代码中找出(使用计时器...)关于正在更改的内容,找到游戏 swf 路径(正则表达式)并将框架 contentWindow.location 强制到 swf 路径.
It fails because of the referrer, but I can in code find out (with a timer...) about the content being changed, find the game swf path (regex) and force the frame contentWindow.location to the swf path.
正如我所说,这是一个 hack,它非常具体,但效果却出奇的好.
As I said, it's a hack and it's really specific, but it works surprisingly well.
这篇关于拦截网络调用以强制 Html 标头引用为 null的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
