PHP-如何检查请求是否针对JS worker [英] PHP - How to check if request is for JS worker

问题描述

向MDN咨询 referrer-policy 以及Google搜索，DuckDucking和StackOverlow搜索，也许您可​​以帮助我解决这个相当简单的问题(但仍然是虚幻的)?

处理流程

1. 浏览器向服务器发出请求
2. 基于 HTTP_REFERER 标头，服务器决定响应

但是为什么呢? (你问)

这是一组精心设计的安全检查的一部分，在这种情况下，确定客户端是否可以访问请求的文件 FUBU (由我们提供).

如果缺少 referer ，这将不起作用，但是当JavaScript发出对指定工作程序的请求时- referer (请求标头)确实缺失. /p>

我尝试过的方法-失败

• 为每个请求设置Referrer-Policy: same-origin
• 设置适当的CORS标头Access-Control-Allow-Headers: x-requested-with-响应每个请求.

问题

如何确定是对JS辅助文件的请求，还是只是强制HTTP机制使其行为正常?

解决方案

跳出框框思考

由于没有似乎"不可能以良好"的方式做到这一点，因此人们总是可以运用小小的创造力来实现特定的结果.

回顾一下:

• 要求 是一种可以识别从哪里发出请求的方法
• 这可以通过Worker调用手动实现，也可以自动
• 任何 安全 问题似乎都在其他地方处理
• 在调用时更改Worker URL可能有助于自动处理

可行的解决方案

这里是一个包装器，可用于劫持"某些类调用或方法:

const hijack = function(driver,victim,jacker)
{
    if(((typeof driver)=='string')&&!victim){return this.plan[driver]}; // recap
    if(victim in this.plan){return}; // only jack once? .. less cruel
    this.plan[victim]={victim:driver[victim],jacker:jacker}; // plan the heist

    let con = {enumerable:false,configurable:false,writable:false,value:function()
    {
        let car=hijack((this.mask||this.name||this.constructor.name)); let m=this.mask;
        let arg=car.jacker.apply(null,arguments); if(!Array.isArray(arg)){arg=[arg]};
        if(!m){return new (Function.prototype.bind.apply(car.victim,[null].concat(arg)))()}
        else{return car.victim.apply(this,arg)};
    }};

    try{con.value.prototype = Object.create(driver[victim].prototype)} // blend in
    catch(oops){Object.defineProperty(driver,'mask',{value:victim});}; // recover
    Object.defineProperty(driver,victim,con);
}.bind({plan:{}});

...钉子碰到锤子

工作原理

• 它接受3个参数:
  1. driver〜包含目标函数/方法的对象
  2. victim〜将被拦截的函数/方法的名称
  3. jacker〜回调函数-用于中继/更改参数

• 原始方法被复制到可以使用或后续调用的地方
• 回调函数强加(放置)原始对象，并且可以在调用者和被调用者之间传递不变的参数(与原始对象完全一样)，但是现在您可以控制它的发生方式(如果有的话)以及确切地传递什么内容；有一些简单的条件或一些精心设计的方案(又称邪恶计划")
• 为简单起见，此代码(上文)仅允许每个victim进行1次拦截，但是可以将其扩展为多次拦截.通过链中继"(回调数组)或事件调度程序+事件侦听器组合".

使用方法

特定于问题:

hijack(window,'Worker',function(arg){return `${arg}?worker=true`});

要解决注释中的安全问题，可以使用 api-key ；因此，如果将某些string传递给当前会话(或客户端)唯一的正在运行的实例(浏览器或服务器)，则可以满足要求，例如:

hijack(window,'Worker',function(arg){return `${arg}?worker=${window.ApiKey}`});

..其中ApiKey全局定义为string，但也可能是函数调用的结果-该函数从cookie或任何一个中获取它.

有用的工具

这也可以用来增强 的安全性.如果您担心来自 devtools 的 XHR 请求，甚至更糟: eval( ) -然后您可以使用此hijack全局拦截这些调用/调用.

例如:

hijack(URL,'createObjectURL',function(arg){console.log(arg); return `whatever`});

如果您打算将其用作安全工具，则它需要一些TLC，其中带有一些调用堆栈回溯"，变异观察者" ..和少量(暗)物质(:

免责声明
在锻炼过程中没有人受伤..受害者证明可以..自行决定使用

After consulting MDN for the referrer-policy and Googling, DuckDucking and StackOverlow-searching, maybe you can help me with this rather simple (yet illusive) issue?

Process Flow

1. the browser makes a request to the server
2. based on the HTTP_REFERER header, the server decides a response

but why? (you ask)

This is part of an elaborate set of security checks, in this case deciding if the client has access to a file requested FUBU (for us by us).

This will not work if the referer is missing, but when JavaScript issues a request for a specified worker - the referer (request-header) is indeed missing.

what I've tried - and FAILED

• setting Referrer-Policy: same-origin for EVERY request
• setting the appropriate CORS headers Access-Control-Allow-Headers: x-requested-with - in response to EVERY request.

question

How can I find out if a request was made for a JS worker file, or just FORCE the HTTP mechanism to behave like it should?

解决方案

Thinking out of "the box"

Since there "seems" to be no way to do this in a "good" way, one could always apply a lil creativity to achieve a specific outcome.

Just to recap:

• the requirement is to have a way to identify from where a request is made
• this can either be achived manually per Worker invocation, or automatically
• any security issues seem to be handled elsewhere
• altering the Worker URL upon invocation could be helpful for automatic handling

Work-able solution

Here is a wrapper that can be used to "hijack" some class invocations or methods:

const hijack = function(driver,victim,jacker)
{
    if(((typeof driver)=='string')&&!victim){return this.plan[driver]}; // recap
    if(victim in this.plan){return}; // only jack once? .. less cruel
    this.plan[victim]={victim:driver[victim],jacker:jacker}; // plan the heist

    let con = {enumerable:false,configurable:false,writable:false,value:function()
    {
        let car=hijack((this.mask||this.name||this.constructor.name)); let m=this.mask;
        let arg=car.jacker.apply(null,arguments); if(!Array.isArray(arg)){arg=[arg]};
        if(!m){return new (Function.prototype.bind.apply(car.victim,[null].concat(arg)))()}
        else{return car.victim.apply(this,arg)};
    }};

    try{con.value.prototype = Object.create(driver[victim].prototype)} // blend in
    catch(oops){Object.defineProperty(driver,'mask',{value:victim});}; // recover
    Object.defineProperty(driver,victim,con);
}.bind({plan:{}});

... nail meets hammer

How it works

• It takes in 3 arguments:
  1. driver ~ the object that contains the target function/method
  2. victim ~ the name of the function/method that will be intercepted
  3. jacker ~ a callback-function -which is used to relay/change arguments

• The original method is copied to where it can be used or subsequent calls
• The callback imposes (deposes) the original and can either relay arguments unchanged between the caller and the callee (exactly like the original), but now you can control how it happens (if at all) and what to relay exactly; either with some simple condition(s) or some elaborate scheme (a.k.a "evil plan")
• For the sake of simplicity this code (above) only permits 1 interception per victim, but this can be extended for multiple intercepts; either by "chain-relay" (callback array) or "event-dispatcher + event-listener combo(s)".

How to use

Specific to the question:

hijack(window,'Worker',function(arg){return `${arg}?worker=true`});

To address the security concerns in the comments, an api-key could be useful; so if some string was passed to the running instance (browser or server) that is unique to the current session (or client), it could suffice, for example:

hijack(window,'Worker',function(arg){return `${arg}?worker=${window.ApiKey}`});

.. where ApiKey was defined globally as a string, but it can also be the result of a function-call -which gets it from a cookie, or whichever.

Useful tool

This can also be used to enhance security. If you are concerned about XHR requests made from devtools or even worse: eval() -then you can use this hijack to intercept those calls/invocations globally.

For example:

hijack(URL,'createObjectURL',function(arg){console.log(arg); return `whatever`});

If you plan to use this as security tool, then it needs some TLC with a dash of "call-stack back-trace", a "mutation-observer" .. and a pinch of (dark) matter (:

disclaimer
nobody got hurt during this exercise .. the victim turned out okay .. use at your own discretion

这篇关于PHP-如何检查请求是否针对JS worker的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！