获取请求您的 js 文件的网站的引荐来源网址
我有一个嵌入脚本可以简单地执行此操作:
document.write(unescape('%3Cscript src="' + mp_protocol + 'blah.cloudapp.net/js?location="' + window.location +' type="text/javascript"%3E%3C/script%3E'));
正如您现在所看到的,嵌入代码的网页的 URL 是使用 window.location 传入的。但这可以很容易地由客户编辑。
我想知道是否可以获取引荐来源网址而不是传递网址。由于嵌入了此脚本,我不确定是否会传递引用信息?
(是的,你也可以伪造推荐人......但这比我认为大多数人想要的要多一些)。
I have an embed script that simply does this:
document.write(unescape('%3Cscript src="' + mp_protocol + 'blah.cloudapp.net/js?location="' + window.location +' type="text/javascript"%3E%3C/script%3E'));
As you can see right now the URL of the webpage that is embedding the code is passed in using window.location. But this can easily be edited by the client.
I wanted to know if I can get the referrer instead of passing the url. I wasn't sure if referring info would be passed since this script is embedded?
(yes, you can also fake referrers... but that is a bit more effort than I think most people will want).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
浏览器通常会为脚本请求发送一个“Referer”(原文如此)标头,其中包含包含脚本链接的页面的 URL,无论该脚本元素是如何创建的。
这可以通过检查“Referer”HTTP 变量来访问(注意不寻常的拼写)。
这个想法是,您可以检查此变量并查看它是否引用您网站的一部分。
请注意,该变量并不总是准确的;用户可以选择通过不发送引用标头(使用某种小型隐私工具)来保护他们的隐私,他们甚至可以修改他们的浏览器以发送他们想要在此字段中发送的任何内容。因此,不应依赖它进行身份验证,除非您还考虑到即使合法用户也可能将其留空或在其中放入任意字符串。
The browser will usually send a "Referer" (sic) header for script requests which contain the URL of the page that contains the script link, regardless of how that script element was created.
This is accessible by checking the "Referer" HTTP variable (note unusual spelling).
The idea is that you can check this variable and see if it refers to part of your site.
Note that this variable is not always accurate; a user may elect to protect their privacy by not sending a referer header (using some sort of dinky privacy tool) and they may even modify their browser to send whatever they want in this field. So it shouldn't be relied upon for authentication, unless you also take into account that even a legitimate user may have left it blank or put an arbitrary string in it.