跨域javascript表单填写、反向代理
我需要一个 JavaScript 表单填充程序,可以绕过大多数现代浏览器实施的“同源策略”。
我制作了一个脚本,可以在新浏览器中打开所需的网站/表单。使用 window.open 方法返回的处理程序,我想使用 WindowHandler.document.getElementById('inputx') 检索输入并填充它们(访问被拒绝)。
是否可以通过在 IIS 6 中使用 Isapi Rewrite(官方网站)作为反向代理来解决此问题? 如果是这样,我将如何配置反向代理?
这就是我的进展:
RewriteEngine on
RewriteLogLevel 9
LogLevel debug
RewriteRule CarChecker https://the.actualcarchecker.com/CheckCar.aspx$1 [NC,P]
重写有效, http://ourcompany.com/ourapplication/CarChecker ,如日志记录中所示。从我们公司网站内我可以运行汽车检查器,就像它在我们自己的域中一样。除此之外,“同源政策”仍然有效。
更新,
我停止使用 Isapi Rewrite,因为免费版本不包含代理组件。我开始使用 Managed Fusion 的 url 重写器。
我当前的工作重写规则:
RewriteRule /MySecuredSite/CarChecker https://the.actualcarchecker.com [NC,P]
现在我收到错误:底层连接已关闭:无法建立 SSL/TLS 安全通道的信任关系。
我认为发生这种情况是因为我们的 ssl 证书被传递到 carchecker 站点。如何配置反向代理以便传递 carchecker 站点的证书?
问候,
米歇尔
I need a javascript form filler that can bypass the 'same origin policy' most modern browsers implement.
I made a script that opens the desired website/form in a new browser. With the handler, returned by the window.open method, I want to retrieve the inputs with theWindowHandler.document.getElementById('inputx') and fill them (access denied).
Is it possible to solve this problem by using Isapi Rewrite (official site) in IIS 6 acting like a reverse proxy?
If so, how would I configure the reverse proxy?
This is how far I got:
RewriteEngine on
RewriteLogLevel 9
LogLevel debug
RewriteRule CarChecker https://the.actualcarchecker.com/CheckCar.aspx$1 [NC,P]
The rewrite works, http://ourcompany.com/ourapplication/CarChecker, as evident in the logging. From within our companysite I can run the carchecker as if it was in our own domain. Except, the 'same origin policy' is still in force.
Update,
I stopped using Isapi Rewrite as the free version does not include a proxy component. I started to use the url rewriter from Managed Fusion.
My current working rewriterule:
RewriteRule /MySecuredSite/CarChecker https://the.actualcarchecker.com [NC,P]
Now I get the error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
I think this occurs because our ssl-certificate is passed on to the carchecker site. How can I configure the reverse proxy so that the certificate of the carchecker site is passed on?
Regards,
Michel
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在不了解更多细节的情况下,我决定列出您面临的一些限制以及您可以利用的一些技巧可能会有所帮助:
我不是 ASP 开发人员,但我知道,正如您所提到的,有某种视图状态变量必须与 ASP 表单一起提交。我假设可以仅使用要重新提交的表单字段来验证此视图状态。这就是我所期望的(除非它非常复杂),因为浏览器接收到的表单就是它发送回的所有表单(以及值)。所以重点是,当您提交到 aspx 页面时,您需要一个有效的视图状态,但也许您可以从服务器获取任何您想要的视图状态,只要您提交的表单字段相同。
您可以编写一个像浏览器一样运行的网页。它可以抓取 aspx 页面(从而建立有效的视图状态),然后您可以创建 POST 到 aspx 页面所需的所有字段(包括视图状态),然后执行此操作。无论结果是什么,都可以从您的网页返回到浏览器。除非您有能力修改其他服务器,否则我目前确实看不到其他选择,但也许其他人可以提供更多帮助。
如果您可以修改其他服务器,那么您还有其他一些选择。其中之一涉及在 iframe 之间传递数据的技巧。如果您使用隐藏的 iframe 来获取 aspx 页面,那么由于跨域限制,您将无法将结果返回到父页面。但由于您可以修改其他服务器(在.actualcarchecker.com 上运行),因此您可以解决此问题。为此,只需让服务器提供 JavaScript 来异步提交表单,然后将结果(序列化为字符串)设置为 window.name。
现在,要从您的域访问 window.name,您可以将 iframe 的 window.location 设置为您域中的一个页面,该页面将简单地调用您在父窗口中加载的 JavaScript 中编写的函数。就像window.parent.process(window.name)一样。由于 iframe 在您的域上加载了页面,因此它将可以访问 window.name,即使您更改了窗口位置,该名称也不会更改。然后父窗口中的process()函数可以反序列化字符串、删除隐藏的iframe、显示结果、做任何你想做的事情等等。
你将无法填充在隐藏的 iframe 中加载的 aspx 表单iframe 除非您在其他域的服务器上执行类似的操作。该服务器的 JavaScript 需要从 window.name 读取以接收填充表单的输入。但是,如果两个服务器都在使用这个技巧,那么您就不必编写代理,您只需通过 window.name 传递数据即可。
Without knowing a few more details I decided that it might just be helpful to list some of the restrictions you face and some of the tricks you could take advantage of:
I'm not an ASP developer but I'm aware that, as you mentioned, there is some kind of viewstate variable that must be submitted along with a ASP form. I assume that this viewstate can be validated using only the form fields that are to be resubmitted. That's all that I'd expect (unless it's super complex) since the form the browser receives is all it sends back (along with values). So the point is that you'll need a valid viewstate when you submit to the aspx page, but maybe you can grab any viewstate you want from the server so long as the form fields you submit are identical.
You can write a webpage that acts just like your browser does. It can grab the aspx page (thus establishing a valid viewstate), then you can create all of the fields necessary to POST to the aspx page, including the viewstate, and do so. Whatever the results are can be returned from your webpage to the browser. Unless you have the ability to modify the other server I really don't see another option at this point, but maybe someone else can be more helpful.
If you can modify the other server then you have a few other options. One of them involves a trick for passing data between iframes. If you're using a hidden iframe to get the aspx page then you won't be able to get the result back to the parent page due to the cross-domain restriction. But since you can modify the other server (running on the.actualcarchecker.com), you can get around this. To do so just make that server provide JavaScript to submit the form asynchronously and then set the result (serialized to a string) to window.name.
Now to get access to window.name from your domain, you set the iframe's window.location to a page on your domain that will simply call a function you wrote in the JavaScript loaded in the parent window. Like window.parent.process(window.name). Since the iframe loaded a page on your domain it will have access to window.name which will not have been changed even though you changed window locations. Then the process() function in the parent window can deserialize the string, remove the hidden iframe, show the results, do whatever you want, etc.
You won't be able to populate the aspx form that's loaded in the hidden iframe unless you do a similar trick on the other domain's server. That server's JavaScript will need to read from window.name to receive the inputs to populate the form with. However, if both servers are in on the trick then you don't have to write a proxy, you can just pass data via window.name.
您使用哪种服务器端语言?使用它,您可以创建一个代理,该代理应该可以轻松绕过单域策略...
PHP
我想这对于其他语言来说也是类似的过程。
Which server side language are you using? Using it you can create a proxy which should easily bypass the one domain policy...
PHP
I'd imagine it would be a similar process with other languages.
为什么不使用 JSONP 方法呢?即使用 JavaScript 读取输入到表单中的值,并通过动态生成的
如果您使用此方法,您可能根本不需要任何认真的 URL 重写 - 只需确保 CheckCar.aspx 返回有效的 JSON 即可。
JQuery 甚至为此提供了几个方便的功能:如果请求是跨域的,$.getJSON 将透明地从 XHR 切换到动态脚本插入方法。此外,它还支持指定回调。请参阅 jQuery 文档 和 这篇 IBM 文章了解更多信息。
这个方法对你有用吗?
Why don't you use JSONP approach instead? I.e. use JavaScript to read the values entered into your form and sent it to the server-side handler via a dynamically generated
<script>element (<script>andimgelements can refer to resources from external domains).Likely, you will not need any serious URL rewriting at all if you use this approach - just make sure that CheckCar.aspx returns valid JSON.
JQuery even has several convenience functions for this: AFAIK $.getJSON will transparently switch from XHR to dynamic script insertion method if the request is cross-domain. Also, it supports specifying callbacks. See jQuery docs and this IBM article for more info.
Will this method work for you?