Google API：授权的JavaScript起源 [英] Google API: Authorized JavaScript Origins

问题描述

我正在为我们的网络服务实施Google+登录，并且偶然发现了授权JavaScript起源。我们的客户有网址可以作为我们主域名的子域名，也可以作为自定义域名。由于登录页面位于该子域（或自定义域）之下，并且为了使Google+ Sing-In按钮有效，该自定义域/子域应该（手动）输入到Authorized JavaScript Origins列表中（包括http和https）。

I'm implementing a Google+ Sign-In for our web service, and stumbled on "Authorized JavaScript Origins". Our clients have web addresses either as a sub-domain of our main domain, or as a custom domain name. Since the login page is under that sub-domain (or custom domain), and in order to make the Google+ Sing-In button work, that custom domain/sub-domain should be (manually) entered in the "Authorized JavaScript Origins" list (with both http and https).

有人知道一种方法可以自动执行吗（通过一些API）？
如果没有，那么你是怎么做到的？

Does anybody know a way to do that automatically (through some API maybe)? If not, then how do you do it?

推荐答案

不知道是否有API。乍一看，我没有看到一个。替代方案（除了手动添加域），是在每个站点上使用隐藏的iframe - 该iframe将来自您的域，并且将是唯一调用Google服务的域。主要网站将与iframe（postMessage）通信以告知它要发送的内容。这当然会带来安全风险（任何人都可以将你的iframe加载到他们的页面中，并代表你做坏事），所以你需要确保iframe代码拒绝执行任何操作，除非它在页面上运行已知好域名。

Not sure if there is an API for this. At first glance I don't see one. The alternative (aside from manually adding domains all the time) is to use a hidden iframe on each site - this iframe would come from your domain and would be the only thing that calls google services. The main sites would communicate with the iframe (postMessage) to tell it what to send google. This of course, opens up a security risk (anybody could load your iframe into their page and do bad things on your behalf) so you'll want to make sure that the iframe code refuses to do anything unless it's running within a page on a known-good domain.

这篇关于Google API：授权的JavaScript起源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！