Google API:授权的 JavaScript 起源 [英] Google API: Authorized JavaScript Origins

问题描述

我正在为我们的网络服务实施 Google+ 登录，并偶然发现了Authorized JavaScript Origins".我们的客户将网址作为我们主域的子域，或作为自定义域名.由于登录页面位于该子域(或自定义域)下，并且为了使 Google+ Sing-In 按钮起作用，应(手动)将自定义域/子域输入到Authorized JavaScript Origins"列表中(同时使用 http 和 https).

I'm implementing a Google+ Sign-In for our web service, and stumbled on "Authorized JavaScript Origins". Our clients have web addresses either as a sub-domain of our main domain, or as a custom domain name. Since the login page is under that sub-domain (or custom domain), and in order to make the Google+ Sing-In button work, that custom domain/sub-domain should be (manually) entered in the "Authorized JavaScript Origins" list (with both http and https).

有人知道自动执行此操作的方法吗(可能通过某些 API)?如果没有，那你怎么做?

Does anybody know a way to do that automatically (through some API maybe)? If not, then how do you do it?

推荐答案

不确定是否有用于此的 API.乍一看，我没有看到.另一种选择(除了一直手动添加域)是在每个站点上使用隐藏的 iframe - 这个 iframe 将来自您的域，并且将是唯一调用谷歌服务的东西.主要站点将与 iframe (postMessage) 通信以告诉它向 google 发送什么.这当然会带来安全风险(任何人都可以将您的 iframe 加载到他们的页面并代表您做坏事)，因此您需要确保 iframe 代码拒绝执行任何操作，除非它在某个页面上运行已知良好域.

Not sure if there is an API for this. At first glance I don't see one. The alternative (aside from manually adding domains all the time) is to use a hidden iframe on each site - this iframe would come from your domain and would be the only thing that calls google services. The main sites would communicate with the iframe (postMessage) to tell it what to send google. This of course, opens up a security risk (anybody could load your iframe into their page and do bad things on your behalf) so you'll want to make sure that the iframe code refuses to do anything unless it's running within a page on a known-good domain.

这篇关于Google API:授权的 JavaScript 起源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！