http_referer使用https丢失 [英] http_referer lost using https
问题描述
图片两个网页,均使用https查看。它们位于不同的域中。
Picture two web pages, both viewed using https. They reside on different domains.
我如何(合理地)确保到达我页面的人来自位于另一个(特定)域的超链接?我只想允许来自该域的流量。任何关于实现这一目标的最佳方法的想法都将受到赞赏。
How can I (reasonably) ensure that someone arriving at my page came via a hyperlink that resides on another (specific) domain? I only want to allow traffic from that domain. Any ideas on the best way to accomplish this would be appreciated.
我试着查看HTTP_REFERER,但显然在这种情况下没有发送。我知道HTTP RFC指定不从https - > http发送引用者信息,但这是否也适用于https - > https跨域或ssl证书?
I tried looking at the HTTP_REFERER, but apparently it is not being sent in this case. I know that the HTTP RFC specifies not sending the referrer info from https -> http, but does this also apply to https -> https across domains or ssl certs?
我的如果重要,域运行在ASP.NET上。我无法控制源域。
My domain runs on ASP.NET if it matters. I have no control over the source domain.
谢谢。
推荐答案
阐述mjv的响应:你应该将HMAC( RFC 2104 )放入URL中。在两个服务器之间拥有共享密钥,并让原始服务器生成格式为/ timestamp / hmac / path的链接。应该从hmac(key,timestamp + path)验证hmac,以便不同的图像生成不同的hmac。然后,目标服务器可以决定时间戳是否足够年轻以来自重定向。
Elaborating on mjv's response: you should put HMAC (RFC 2104) into the URL. Have a shared secret between the two servers, and have the originating server generate links of the form /timestamp/hmac/path. The hmac should be verified from hmac(key, timestamp+path), so that different images generate different hmacs. The target server can then decide whether the timestamp is young enough to originate from a redirect.
您可以通过将客户端的IP地址放入hmac来进一步限制,请求接收URL的同一客户端也在解析它。但是,在存在HTTP代理的情况下,这可能容易出错,这些代理只处理http而不是https,反之亦然。
You can further restrict that by putting the IP address of the client into the hmac, requring that the same client that received the URL is also resolving it. That may be error-prone, though, in the presence of HTTP proxies which process only http and not https or vice versa.
这篇关于http_referer使用https丢失的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
