获得网站引用者正在请求您的JS文件 [英] get referer of website that is requesting your js file

问题描述

我有一个嵌入的脚本，仅仅做到这一点：

I have an embed script that simply does this:

document.write(unescape('%3Cscript src="' + mp_protocol + 'blah.cloudapp.net/js?location="' + window.location +' type="text/javascript"%3E%3C/script%3E'));

正如你可以看到，现在被嵌入code使用window.location的传递网页的URL。但是这可以很容易地由客户端进行编辑。

As you can see right now the URL of the webpage that is embedding the code is passed in using window.location. But this can easily be edited by the client.

我想知道如果我能得到的引用而不是传递的url。我不知道，因为这个脚本被嵌入指信息将被传递？

I wanted to know if I can get the referrer instead of passing the url. I wasn't sure if referring info would be passed since this script is embedded?

（是的，你也可以伪造引荐......但比我想大多数人会想要更努力一点）。

(yes, you can also fake referrers... but that is a bit more effort than I think most people will want).

推荐答案

浏览器通常会发送一个引荐（原文如此）头中包含了包含脚本的链接页面的URL脚本请求，无论怎么说脚本元素已创建。

The browser will usually send a "Referer" (sic) header for script requests which contain the URL of the page that containing the script link, regardless of how that script element was created.

这是通过检查引荐HTTP变量访问（注意不寻常的拼写）。

This is accessible by checking the "Referer" HTTP variable (note unusual spelling).

我们的想法是，你可以检查这个变量，看看它是否是指你的网站的一部分。

The idea is that you can check this variable and see if it refers to part of your site.

请注意，此变量并不总是准确;用户也可以选择通过不发送Referer头（使用某种极小的隐私保护工具），以保护他们的隐私，他们甚至可以修改他们的浏览器发送任何他们想要在这个领域。因此，它不应被用于身份验证依赖，除非你也考虑到，即使是合法的用户可能已经离开空白或把一个任意字符串在里面。

Note that this variable is not always accurate; a user may elect to protect their privacy by not sending a referer header (using some sort of dinky privacy tool) and they may even modify their browser to send whatever they want in this field. So it shouldn't be relied upon for authentication, unless you also take into account that even a legitimate user may have left it blank or put an arbitrary string in it.

这篇关于获得网站引用者正在请求您的JS文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！