通过对服务器的初步CORS调用,确保跨域window.opener调用的来源(父URL) [英] Guarantee the origin (parent URL) of a cross domain window.opener call by preliminary CORS call to the server
问题描述
我的第一个问题.
这是任务.我有一个按钮想要放在第三方网站上.当用户单击该按钮时,将通过javascript window.open方法打开一个新窗口.在该窗口中,用户被重定向到我的Web应用程序并必须登录.现在,我如何确定用户来自何处(例如,他单击了哪个网站).基本上我想要两件事-确保我可以跟踪弹出窗口打开时单击该按钮的网站,并且还确保只有订阅者才能使用该按钮(第一个条件将使其成为可能,因为我将能够过滤掉该按钮基于URL的未经授权的请求.
Here is the task. I have a button which I want to put on 3rd party websites. When user clicks that button - a new window opens by means of javascript window.open method. In that window user is redirected to my web application and have to log in. Now, how can I know for sure where the user came from (e.g. which website he clicked the button on). Basically I want two things - make sure I can track which website the button was clicked on when the popup opens AND also make sure that only subscribers can use that button (well the first condition will make it possible cause I will be able to filter out unauthorized requests based on URL).
很明显window.opener无法使用,因为它是跨域的,浏览器不允许它.
Obviously window.opener doesn't work because it's cross domain and browser won't allow it.
我的一个想法是在页面加载时使用脚本中的CORS请求,这将调用我的服务器,服务器将生成一些秘密并设置cookie,然后返回另一个包含window.open调用的JavaScript代码.使用该秘密作为参数,并为另一个参数指定document.location的值(这基本上会将当前URL设置为参数).从理论上讲,这应该确保从我的服务器合法地收到了名为popup的脚本-因此,该脚本提供的URL是正确的.否则,如果有人创建自己的脚本来调用我的弹出式窗口-他们当然可以将所需的任何URL设置为参数,但他们将不知道正确的Cookie机密.
One idea I had was to use CORS request from my script when page loads which would call my server and the server will generate some secret and set the cookie with it and then return another javascript code which would contain window.open call together with that secret as a parameter and another parameter which will be assigned value from document.location (this will basically set the current URL as a parameter). This theoretically should ensure that script which called the popup was legitimately received from my server - hence URL it provides is correct. Otherwise if someone would create their own script to call my popup - they can of course set any URL they want as parameter BUT they wouldn't know the correct cookie secret.
请让我知道我的方法是否正确,不能被黑客入侵或是否是垃圾? 还有更好的方法吗?
Please let me know if my approach is right and it cannot be hacked or is it rubbish? Also is there a better way to do this?
我已经研究和思考了几天,它伤了我的大脑.
I've been researching and thinking about it for a couple of days now - it hurts my brain.
提前感谢大家-感谢您的帮助.
Thanks to everyone in advance - any help is appreciated.
推荐答案
我自己找到了解决方案.
I found the solution myself.
因为window.open调用了另一个域-window.opener和document.referrer无效.
Because window.open calls another domain - window.opener and document.referrer won't work.
这里的唯一方法是在此处描述的窗口之间使用消息发送机制(Web消息传递): http://en.wikipedia.org/wiki/Web_Messaging
The only way here is to use message sending mechanism between windows (web messaging) described here: http://en.wikipedia.org/wiki/Web_Messaging
似乎所有主流浏览器现在都支持此功能.
It looks like all major browsers now support this.
它允许将消息发送到具有不同域的另一个窗口并设置期望的域,因此在接收窗口中,您还可以设置可以从中接收消息的期望的域-这样您就可以确定该特定域已发送了消息并可以保证打开器的网址.
It allows to send message to another windows with different domain and set the expected domain, so in receiving windows you can also set expected domain from where messages can be received - this way you know for sure that this particular domain sent a message and can guarantee the URL of the opener.
这篇关于通过对服务器的初步CORS调用,确保跨域window.opener调用的来源(父URL)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
