Facebook Javascript SDK安全。 Facebook如何验证JS SDK是否已加载到应用设置中指定的正确域中 [英] Facebook Javascript SDK Security. How do Facebook verify that the JS SDK is loaded in the right domain that specified in the app settings
问题描述
有几个同名的问题,但是他们都没有打算问我在我脑海里有什么。所以我们只用app id初始化FB js sdk。通过查看他们的Facebook初始化源代码,很容易了解其他网站的应用程序ID。人们可能会认为,黑客可能会尝试用其他应用程序ID初始化FB JS SDK,并尝试让他们的用户访问令牌。但Facebook不允许这样的东西。您必须从您在Facebook Developer Apps页面的site url属性中指定的同一个域加载js sdk。所以问题是他们如何知道jsonp来自正确的客户端的来电?检查客户端是不安全的,因为人们可以根据需要复制和修改javascript。所以它必须是服务器端检查。我只能想到引荐人检查,但我觉得不能被认为是一种安全的方式。
There are few questions with same name but none of them intended to ask what I have in my mind. So we initialize FB js sdk with only app id. It's easy to know other web site's app id by looking at their facebook initialization source code. One might think that it's possible that a hacker might try to initialize FB JS SDK with other's app id and try to get their user access tokens. But facebook doesn't allow such stuff. You have to load js sdk from the same domain you specified in the site url property in Facebook Developer Apps page. So the question is how do they know that the jsonp whatever calls coming from the right client? It's not safe to that checking in client side since people can copy and modifty the javascript as they wish. So it has to be server side checking. I can only think of "referer checking" but I feel it cannot be considered a safe way.
推荐答案
不确定这只是猜测..
Well, I'm not sure so this is only speculation..
首先,当http请求时, HTTP referer标题被添加,因此当您加载sdk时,您作为请求的URL被添加为引用者。
Facebook可以在他们的服务器上检查请求的来源,并将其与应用设置的内容进行比较。
First of all, when making an http request the HTTP referer header is added, and so when you load the sdk the url from which you're making the request is added as a referer. Facebook can check on their servers where the request was originated from and compare that to what they have for the app settings.
当然可以修改在提出请求时,标题,这就是为什么你不会得到任何错误只是通过加载sdk的应用程序,如果你在错误的域名。
只有当您尝试与sdk进行交互时,才会发生错误,例如尝试执行 FB.login 方法将打开auth对话框弹出窗口,该弹出窗口将显示以下错误消息:
It's possible of course to modify this header when making the request, which is why you don't get any error just by loading the sdk for an app if you're in the wrong domain. The error will only occur when you try to interact with the sdk, for example trying to execute the FB.login method will open the auth dialog pop-up which will show the following error message:
发生错误。请稍后重试。
An error occurred. Please try again later.
如果您检查此验证对话框的URL(其中sdk结构),您会注意到这两个查询字符串参数:
If you check the url of this auth dialog (which the sdk constructs) you'll notice these two query string parameters:
- domain = THE_DOMAIN_OF_THE_PAGE
- redirect_uri = FACEBOOK_URL,其中包含起源,域和关系=开启者
什么(可能)发生的是,Facebook根据应用程序设置检查域,如果可以的话,向用户显示auth对话框,当他完成这个过程,他被重定向到redirect_uri。
What (probably) happens is that facebook checks the domain against the app settings, if it's ok it presents the user with the auth dialog, when he finished the process he is redirected to the redirect_uri.
由于redirect_uri在弹出窗口中打开,它只能与它的开启者通信在同一个域名中,Facebook网页上没有任何人可以在Facebook上提供的Facebook页面以外的页面。
Since the redirect_uri opens in the pop-up it can only communicate with it's opener if they are both in the same domain, a facebook domain which no one can have on his page other than pages served from facebook.
当sdk加载时,它将添加一个iframe到> fb-root 容器加载与redirect_uri相同的域加载的facebook js,因为po p-up窗口可以与iframe通信,并通过auth响应通知。
When the sdk loads it adds an iframe into the fb-root container which loads a facebook js which is loaded from the same domain as the redirect_uri, because of that the pop-up window can communicate back with the iframe and inform it with the auth response.
在iframe得到响应后,弹出窗口关闭,iframe通知在sdk中加载sdk的响应主页面。
我不知道他们使用哪种技术进行通信,但是您可以轻松地通过搜索跨域iframe通信找到更多信息。
After the iframe got the response, the pop-up closes and the iframe informs the loaded sdk in the main page of the response. I'm not sure which technique they use for that communication, but you can easy find more info about that by googling "cross domain iframe communication".
这是我看到的,但我不能肯定。
您可以检查 js sdk @ github 的代码,如果您想真的知道发生了什么。
That's how I see it, but I can't be sure. You can check the code for the js sdk @ github if you want to really know what's going on.
这篇关于Facebook Javascript SDK安全。 Facebook如何验证JS SDK是否已加载到应用设置中指定的正确域中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
