(注意:是的,这是一个荒谬的问题,如果这个问题的答案是“否”,我完全不会感到惊讶。也就是说:)
我已经编写了一个 XSLT 样式表,它故意对 XML 执行冗长的、不可并行的计算分段。 它旨在作为要使用的工作证明系统的组件在网络浏览器中作为一种验证码,不需要用户输入任何内容——当用户将数据发布到服务器时,计算结果将作为隐藏的表单元素提交。 仅当计算值正确时才接受表单内容。 (计算的结构是这样的:服务器可以廉价地为用户提供函数的输入参数,并且服务器无需做大量工作就知道结果,但用户的机器必须花费周期来确定结果。)
转换工作得很好,但不幸的是在计算过程中浏览器挂起。 由于我的目标是在用户继续使用浏览器时运行此计算,因此这是令人无法接受的烦人行为。 有没有一种方法可以在后台进行转换并让浏览器在运行时可用?我的一个想法是从 iframe 加载源 XML 片段,但我无法获得转换使用这种方法来工作。 我想在进一步反对这个问题之前,我应该先在这里问问是否有人有任何绝妙的想法——如果我试图做一些考虑到浏览器工作方式根本不可能的事情,那么很高兴知道。
我知道我可以用 JavaScript 做到这一点,但如果不必这样做就好了。 有任何想法吗?
编辑:伙计们,我知道 recaptcha.net 和其他替代方案。 这是一个实验。 我的目标是找出理论想法是否可以以对用户来说不太繁重的方式简化为实践。 我不是在寻找替代实现,而是在寻找一种不涉及 Javascript 的加密强验证码的方法。 (如果我想使用 Javascript,我会使用 Javascript hashcash 实现之一。)唯一的其他基于浏览器的图灵完备语言是 XSLT。 请本着提出问题的精神考虑这个问题。
(N.B.: Yes, this is a ridiculous question, and I will be entirely unsurprised if the answer to this question is "no". That said:)
I've written an XSLT stylesheet which deliberately performs a lengthy, unparallelizable computation on an XML fragment. It's intended as a component of a proof-of-work system to be used in a web browser as a sort of CAPTCHA that doesn't require any input from the user -- the result of the computation gets submitted as a hidden form element when the user POSTs data to the server. The form contents are only accepted if the computed value is correct. (The computation is structured in such a way that the server can cheaply provide the user with input parameters to a function, and the server knows the result without having to do a lot of work, but the user's machine has to spend cycles to determine the result.)
The transformation works just fine, but unfortunately hangs the browser while the computation is going on. Since my goal is to have this computation running while the user continues to use the browser, this is unacceptably annoying behaviour. Is there a way to background the transformation and leave the browser usable while it runs? One thought I had was to load the source XML fragment from an iframe, but I haven't been able to get the transform to work at all using this approach. I figured I'd ask here to see if anyone has any brilliant ideas before beating my head against this much further -- if I'm trying to do something that's fundamentally impossible given the way browsers work, it would be nice to know.
I know I could do this in Javascript, but it would be nice not to have to. Any ideas?
EDIT: Guys, I know about recaptcha.net and other alternatives. This is an experiment. My goal is to find out whether a theoretical idea can be reduced to practice in a way that isn't too onerous for the user. I'm not looking for alternative implementations, I'm looking for a way to do a cryptographically strong CAPTCHA that doesn't involve Javascript. (If I wanted to use Javascript, I'd use one of the Javascript hashcash implementations.) The only other browser-based Turing-complete language out there is XSLT. Please consider the question in the spirit in which it was asked.
发布评论
评论(2)
我在 iframe 中使用 xslt,它工作得很好 - 您可能遇到了一些不相关的问题。
如果您希望机器在没有用户交互且没有 JavaScript 的情况下提交特定值,请考虑使用元刷新:
设计 xslt 文件,以便输出生成到 URL 的重定向,并在 url 中编码计算令牌; 即计算 url:
http://xyz.abc/ captcha?......">
省略部分包含您的令牌。 原则上,这应该可行。
另一方面,我严重怀疑 xslt 对于这样的事情是否非常有用。 如果计算时间较长,浏览器可能会中止计算; 即使在 iframe 中,您也可能会遇到阻塞行为,在单核系统上,即使非阻塞行为也可能实际上是阻塞的,XSLT 引擎之间的差异如此之大,以至于您很难找到每个引擎都执行得足够快但没有一个的转换几乎瞬间就燃烧殆尽。
我认为 javascript 不太适合这个,XSLT 可能更不合适。 如果你真的想要这样的计算,silverlight可能是一个更好的选择 - 至少在那里你可以编写在任何地方都相当快地执行的代码,但未来的引擎不会变得微不足道(它足够接近本机速度,你应该能够编写这样的代码)对于 cpu 来说相当接近最佳值 - 当然你可以在 10 倍之内,这对于 javascript/XSLT 来说可能不能这么说)。
I use xslt in an iframe, and it works just fine - there's probably some unrelated issue you're running into.
If you wish the machine to submit a particular value without user interaction and without javascript, consider using using meta refresh:
Engineer the xslt file such that the output generates a redirect to a URL with the computation token encoded in the url; i.e. compute the url:
<meta http-equiv="refresh" content="0;url=http://xyz.abc/captcha?......">
Where the ellided section contains your token. That should, in principle, work.
On the other hand, I seriously doubt that xslt is very useful for something like this. Browsers may abort the computation if it takes long; even in an iframe you may get blocking behavior, on single core systems even non-blocking behaviour may effectively be blocking, differences in XSLT engines are such that you'd be hard-pressed to find a transformation that every engine executes fast enough but none blaze through almost instantly.
I don't think javascript would be very good for this, and XSLT is probably even less appropriate. If you really want such computation, silverlight may be a better bet - at least there you can write code that executes everywhere reasonably quickly but that no future engine could ever trivialize (it's close enough to native speed that you should be able to write code that is fairly close to optimal for a cpu - certainly you can come within a factor 10, which probably can't be said for javascript/XSLT).
页面加载后,您将无法执行 XSLT 转换,也无法在没有 Javascript 的情况下在同一页面的表单中使用其结果。 我不知道为什么你的 IFrame 解决方案不起作用,但即使它起作用,你仍然需要 Javascript 将结果导入到页面的表单中。
我的建议是使用小型且快速的基于 Javascript 的系统,如果禁用 Javascript,则回退到 reCAPTCHA。 您不需要使工作量证明占用大量 CPU,任何自定义解决方案都会摆脱绝大多数(如果不是全部)垃圾邮件机器人。
例如,您的页面可能包含类似内容
,并在 Javascript 中将 c 的值设置为 (a+b)。 机器人制造商需要专门针对您的网站调整他们的机器人,以便解决极其简单的验证码问题。 如果他们这样做(他们不会),则添加一个新字段,该字段将定义对 a 和 b 执行哪种操作以获得 c。 如果他们再次适应,请更改字段的名称。 除非您的网站恰好进入 Alexa 的前 10 名,否则它们很可能不会适应。
You won't be able to perform a XSLT transformation after the page is loaded and use its result in a form in the same page without Javascript. I don't know why your IFrame solution doesn't work, but even if it did, you would still need Javascript to import the result into the page's form.
My advice would be to use a small and fast Javascript-based system and fallback to reCAPTCHA if Javascript is disabled. You don't need to make the Proof-of-work CPU-intensive, any custom solution will throw off the very large majority (if not all) of spambots out there.
For example, your page could contain something like
and set the value of c to (a+b) in Javascript. Bot-makers would need to adapt their bots specifically to your site in order to solve that extremely simple CAPTCHA. And if they do (which they won't) then add a new field which will define what kind of operation to perform on a and b to get c. And if they adapt again, change the name of the fields. In all likelyhood, they won't adapt unless your site happens to be in Alexa's top 10.