在Chrome扩展程序中保护网站API密钥 [英] Securing website API keys in Chrome extensions

问题描述

我正在使用Remember the Milk web API构建Chrome扩展程序。为了调用此API中的方法，我需要使用API​​密钥和共享密钥来签署我的请求。

我担心的是，任何用户都可以如果将它们包含在已发布的扩展中，请打开扩展并提取这些值。这可能会也可能不会增加用户的安全性，但是他或她肯定会使用/滥用我的API密钥，并可能会被吊销。

这是我的应该关注？在已发布的JavaScript应用程序中是否有保护这类信息的最佳实践？

解决方案

最终，您无法真正隐藏任何内容一个在浏览器中运行的JS应用程序;你可以混淆或再缩小代码，这会分散普通用户从周围窥探，但最终它总是将是能够抓住你的明文秘密。

如果您真的需要防止这种情况发生，那么一种选择是将来自您的扩展的呼叫传递给您有权访问的服务器。您的服务器可以添加签名所需的任何参数，将呼叫转发到相关的API，并将API的响应传回给用户。当然，这增加了您可能不想要的带宽/正常运行时间限制。

I'm building a Chrome extension using the Remember the Milk web API. In order to call methods in this API, I need to sign my requests using an API key and a "shared secret" key.

My concern is that any user could just crack open the extension and pull out these values if I include them in the published extension. This may or may not pose a security rise for the user, but he or she could certainly use/abuse my API key and maybe get it revoked.

Is this something I should be concerned about? Are there any best practices for protecting this type of information in published JavaScript applications?

解决方案

Ultimately you can't truly hide anything within a JS application that's run in the browser; you can obfuscate or minify the code, which will distract casual users from snooping around, but in the end its always going to be possible to grab your plaintext secret.

If you really need to prevent this from happening, then one option is to pass calls from your extension to a server you have access to. Your server can add any paramters required for signing, forward the call on to the relevant API, and pass the API's response back to the user. Of course this adds bandwidth / uptime constraints which you may not want.

这篇关于在Chrome扩展程序中保护网站API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！