一个网站能否知道我是否正在运行一个用户名？ [英] Can a website know if I am running a userscript?

问题描述

例如，Facebook.com可以在浏览器上运行版本控制脚本，并查看是否使用脚本运行改变的HTML代码？

可以用可以读取缓存中的HTML代码的脚本来完成，并产生一些发送回服务器的哈希标签，并将其与发送到客户端的代码进行比较？

解决方案

是的，在理论上，一个网站可以推导出各种情况下脚本的存在。

这不是万无一失的，通常对网站的威胁可以忽略不计。 （再一次，一些网站管理员可以是这样的事情的强迫症 - 偏执狂）;））

一些方法，取决于脚本的作用（没有特定的顺序）：

1. 游戏或拍卖网站可以监控出价点击的时间（速度和规律性）。




2. 一个网站可以通过AJAX返回计数，< script> 节点，寻找附加组件。

   / li>
   

3. 同样，一个网站可以AJAX回传页面的任何或所有内容，并将其与预期值进行比较。




4. 额外的AJAX调用或不符合隐藏要求的AJAX调用可以被注意（并允许显示成功）。




5. 如果脚本以正确（错误）的方式使用 unsafeWindow ，一个页面可以检测到甚至劫持（略微）提升的权限。




6. 鼠标悬停事件之前没有点击可以是检测。我实际上已经看到在野外使用了这个。




7. 页面的JavaScript通常可以检测脚本生成的点击次数等与用户生成的点击不同。 （感谢 c69 ，提醒。）

然而，最终的优点是用户脚本作者。可以在用户端检测并阻止网页采取的任何对策。即使是自定义的，所需的插件或所需的硬件加密狗也可以被熟练和有动力的用户颠覆。

Can, for example, Facebook.com run a version control script on my browser and find out if I am running altered HTML code with the use of a script?

Could that be done with a script that can read the HTML code in the cache and produce some kind of hash tag that is sent back to the server and compared with the code that was sent to the client?

解决方案

Yes, in theory, a site can deduce the presence of scripts in various situations.

This is not foolproof and usually is way too much trouble for the negligible "threat" to the site. (Then again, some webmasters can be obsessive-paranoids about such things. ;) )

Some methods, depending on what the script does (in no particular order):

1. Gaming or auction sites can monitor the timing (speed and regularity) of "bid" clicks.

2. A site can AJAX-back the count of say, <script> nodes, looking for extras.

3. Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.

4. Extra AJAX calls, or AJAX calls that don't meet hidden requirements can be noted (and allowed to appear to succeed).

5. If the script uses unsafeWindow in just the right (wrong) way, a page can detect that and even hijack (slightly) elevated privileges.

6. "Clicks" that were not preceded by mouseover events can be detected. I've actually seen this used in the wild.

7. A page's javascript can often detect script-generated clicks (etc.) as being different than user generated ones. (Thanks, c69, for the reminder.)

Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.

这篇关于一个网站能否知道我是否正在运行一个用户名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！