URLReferrer为空时,页面HTTPS [英] URLReferrer is null when page is HTTPS
问题描述
我们使用URLReferrer和code传入查询字符串,生产在线视频,这样只有我们的付费客户可以链接到我们的视频播放页面。该系统已经有一段时间运作良好。我知道URL引用是可以被欺骗,但谁告诉他们的客户做这样的事来访问视频?它的工作很适合我们。
We use the URLReferrer and a code passed in on the query string to produce online videos so that only our paid clients can link to our video playback page. This system has worked well for some time. I know the URL referrer can be spoofed, but who would tell their clients to do such a thing to access a video ? It's worked well for us.
不过,今天有人问我对别人对他们来说没有工作。该URLReferrer为空,他们的网站是HTTPS。我在网上做了一些阅读,我得到的IM pression没有办法访问URL引用时,源页面为https。它是否正确 ?如果我做了我们网站的HTTPS版本,将是解决这个问题?或者有没有为我解决这个问题的任何其他方式?
However, today I was asked about someone for whom it did not work. The URLReferrer is null, and their site is HTTPS. I have done some reading online and I get the impression there's no way to access the URL referrer when the source page is https. Is this correct ? If I made a https version of our site, would that resolve it ? Or is there any other way for me to get around this ?
感谢
推荐答案
您的在线研究是正确的。不设置一个HTTP网址标头或等效的主要原因是,这可能是一个安全问题。其中便含有你来自哪里,这是私人信息,而不应暴露给别人,有什么用呢,否则有一个安全的网站,如果每个人都可以跟踪你到哪里去了?
Your online research is correct. The main reason for not setting an HTTP Referrer header or equivalent is that this could be a security issue. The referrer contains "where you come from", this is private information, and should not be exposed to others, what use is it otherwise to have a secure site if everyone can track where you have been?
所以:如果引用加密(使用SSL或其他方式)你不能得到引荐
So: you cannot get the referrer if the referrer is encrypted (with SSL or otherwise).
更新:这是什么 HTTP规范说,大约从一个安全的网站:
客户端中不包括(非安全)一个Referer头场
HTTP请求,如果引用页用安全转移
协议。
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
正如你可能已经猜到了,有这种限制没有办法。你唯一的选择就是使用不同的验证模型。其中的一个方法是给你的用户的关键,并要求他们发送与请求的参数。还有一些方法可以想到的。
As you might have guessed, there's no way around this restriction. Your only option is to use a different verification model. One such method is giving your users a key and require them to send that as a parameter with the request. Several other methods can be thought of.
这篇关于URLReferrer为空时,页面HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
