不允许从地址栏调用 javascript 函数
我正在与一个在线游戏网站合作。 有一些事件调用 javascript 函数,并且该函数有一些带有回调的操作。
像这样的东西,
<input type="button" onclick="changeSomething"/>
function changeSomething() {
/// some call back, which changes something
}
现在任何知道这一点的人都可以从浏览器的地址栏中调用这个changeSomething,这是我不想要的。
不太可能有人会这样做,但我想允许这样做。
有什么办法可以防止这样的情况发生吗?
谢谢。
PS我尝试过,但仍然不确定我是否解释得足够好。 如果您没有得到任何东西,请告诉我。
I was working with a online game website. There are some event which call a javascript function and the function have some action with callback.
something like this,
<input type="button" onclick="changeSomething"/>
function changeSomething() {
/// some call back, which changes something
}
now anybody who knows this can call this changeSomething from the address bar of the browser, which I do not want.
Very unlikely that somebody will do it, but I want to allow it.
Is there anyway to prevent situation like this ?
Thanks.
P.S. I tried, but still not sure whether I explained it well enought. Please let me know if you are not getting something.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您永远无法获得 100% 的保护,免受您尝试的任何技术的影响。 这是一场必败的游戏。
话虽如此,接近您目标的一种方法是完全删除 onclick 属性,并通过 javascript:
html:
js:
绑定您的点击处理程序(即“changeSomething”):然后回调将变为匿名(例如,没有“changeSomething”)不再起作用)。 这些邪恶的用户如果不知道它的名字就无法直接调用它!
围绕这种技术仍然有很多方法,但我们不会提及这些,以免给邪恶的人提供想法:)
(顺便说一句,addEvent 只是一个用于添加事件处理程序的示例库函数。我确信您可以访问一个。如果不是给你。)
You will never be able to get 100% protected from any technique you try. It's a losing game.
Having said that one way to get closer to your goal is to remove the onclick attribute altogether, and bind your click handler (ie "changeSomething") via javascript:
html:
js:
The callback becomes anonymous then (eg there is no "changeSomething" function anymore). These evil users can't call it directly if they don't know its name!
There are still ways around this technique too, but we won't mention those lest we give the evil doers ideas :)
(BTW addEvent is just a sample library function for adding event handlers. I'm sure you have access to one. If not here you go.)
我认为你对此无能为力。 客户端可以在自己的浏览器中运行他们想要的任何内容。 唯一要做的就是验证服务器端的所有内容。 这是所有网络编程中的一个重要概念。 客户端代码可以自由修改,并且应该被视为一种额外的检查以加快速度,而不是一种安全方法。
I dont think that there is anything you can do about this. The client can run whatever they want within their own browser. The only thing to do is validate everything on the server side. This is an important concept in all web programming. Client side code can be freely modified and should be treated as an additional check to speed things up rather than a security method.
您必须在接受请求的任何后端上处理此问题。 假设您仅在某些条件下为用户提供
doSomething()选项,您可能在数据库(或其他)中拥有此信息。不要担心 JavaScript 被调用(没有办法绕过它),并在后端执行与前端相同的检查。 这样,您就可以忘记保护前端的安全,因为无论如何您都做不到……但您仍然可以防止恶意用户在不应该做的事情时
doSomething。如果您需要进一步澄清我的意思,请告诉我,但我需要有关您的应用程序架构的更多详细信息。
You have to handle this on whatever back-end you've got accepting the request. Assuming you only give the user the option to
doSomething()upon certain conditions, you probably have this information in the database (or whatever).Don't worry about the JavaScript being called (no way around it), and do the same check you did on the front-end on the back-end. This way you can simply forget about securing your front-end, since you can't anyway... yet you still prevent malicious users from
doSomethinging when they aren't supposed to.Let me know if you need further clarification of what I mean, but I'll need more details about what your app architecture is like.
任何“解决方案”都会像禁用网页中的右键单击一样有效...对于后一个问题,我找到了至少十几种解决方法,包括在 Opera 中查看页面!
如果禁用此功能,则可以使用 Firebug、Greasemonkey 甚至某些动态修改 HTML 的代理来解决此问题,更不用说使用页面的本地副本等了。
Any "solution" will be as efficient as disabling right-click in Web page... For the latter problem, I found at least a dozen of workarounds, including viewing the page in Opera!
If you disable this, one will workaround with Firebug, Greasemonkey, or even some proxy modifying HTML on the fly, not to mention using a local copy of the page, etc.
可以通过传递ID来检查点击的来源:
修改为:
You can check the source of the click by passing an ID:
Revised to: