击败这个 Javascript 预防措施有多容易
我正在尝试阻止用户禁用样式。(我有充分的理由这样做,所以请不要发布有关可访问性的帖子,因为我的网站 99.99% 是完全可访问的。只是尝试阻止我的 0.1% 的页面。如果你一定知道这是一个付费网络课程,我不希望人们轻易窃取......)。
我使用 Jquery:
function cssCheck() {
if( ! $('#cssenabledcheck').is(':hidden') ) {
window.location.href = "www.somerandompage.com";
}
}
var styleCheck = setInterval(cssCheck, 500);
cssenebledcheck 是一个空 div,样式设置为隐藏。逻辑是,如果您禁用样式,div 将显示,并且样式检查将失败,从而将用户重定向到告诉他们启用样式的页面。令人惊讶的是,即使在旧电脑上,它也不是内存密集型的,尽管它每半秒就持续运行一次。
我的问题是,一个人重写(注入) styleCheck 变量从而绕过我的检查有多容易?说实话,我对黑客知之甚少,所以任何见解将不胜感激。
I'm trying to prevent a user from disabling style.(I HAVE A GOOD REASON TO DO THIS, so please no posts about accessibility as 99.99% of my site is totally accessible. Just tryin to prevent on .1% of my pages. and if you must know it is a paid web course that i dont want people stealing.....easily).
Im using Jquery:
function cssCheck() {
if( ! $('#cssenabledcheck').is(':hidden') ) {
window.location.href = "www.somerandompage.com";
}
}
var styleCheck = setInterval(cssCheck, 500);
cssenebledcheck is an empty div with style set to hidden. The logic is if you disable styles, the div will show, and the style check will fail thus redirecting the user to a page telling them to enable styles. It is suprisingly non-memory-intensive even on old pc's, even though it is continually running every half-second.
My question is, how easy is it for a person to override (inject) the styleCheck variable, thus beating my check? I truthfully know very little about hacking so any insight would be appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
就像打开 firebug 并发出一样简单,
但是您不应该将 setInterval 返回值分配给变量,因此它将无法清除。但是他们可以重写 cssCheck 方法。
这反过来可以通过使用匿名函数来避免
,但他们可以完全禁用 javascript,并且对于这种情况没有什么可做的。
As easy as opening firebug and issuing
You should not assign the
setIntervalreturned value to a variable though, so it would be un-clearable.. But they could rewrite thecssCheckmethod.This in turn could be avoided by using an anonymous function
but they could disable javascript altogether, and there is nothing to do about that case..
这将非常简单(例如使用greasemonkey)。如果您确实想要隐藏某些内容,那么它不应该出现在页面上。即使它被隐藏,如果您转到浏览器的“查看源代码”选项,它仍然位于源代码中。通过在浏览器上禁用 JavaScript 也可以轻松绕过这里的内容。
我认为正确的方法是,当您需要检索隐藏内容时,对服务器进行 Ajax 调用,或者转到不同的页面来获取隐藏内容。
It would be very easy (using greasemonkey for example). If you truly want something to be hidden it shouldn't be on the page, period. Even if it is hidden, it is still in the source if you go toyour browser's "View Source" option. What you have here is also easily bypassed by disabling JavaScript on one's browser.
I think the right way to do this would be to have an Ajax call to the server when you need to retrieve the hidden content, either that or go to a different page for the hidden content.
我可以使用 firebug 或greasemonkey 轻松禁用预防措施。永远不能指望 JavaScript 提供任何类型的安全性。
I could use firebug or greasemonkey to easily disable preventative measures. JavaScript can never be counted on for any sort of security.
除了禁用 JavaScript 之外,还可以使用 Firebug 覆盖任何全局变量,例如
styleCheck。Apart from disabling JavaScript, one could just use Firebug to override any global variable like
styleCheck.必须假定浏览器中运行的任何内容都在用户的控制之下。使用 Firebug 或 GreaseMonkey 甚至小书签来更改 javascript 变量或删除 javascript 函数都很简单,甚至更容易更改样式(您可以指定将覆盖站点样式表的个人样式表)。
如果您确实需要保护您的内容免遭复制,则必须在 Flash 等插件中显示它,其中环境受到更严格的控制。
Anything running in the browser must be assumed to be under the user's control. It's trivial to use Firebug or GreaseMonkey or even a bookmarklet to change javascript variables or remove javascript functions, and even easier to alter styles (you can specify a personal stylesheet that will override the site's stylesheet).
If you truly need to protect your content from copying, you will have to display it inside a plugin such as Flash, where the environment is more tightly controlled.
简单得可笑。在任何 JS 控制台中,输入:
稍微更健壮的版本是将其放在难以覆盖的闭包中。
但仍然可以轻松地关闭 javascript,甚至
curl或wget,或者右键单击查看源代码。确实没有一种可靠的方法来做你想做的事。Rediculously easy. In any JS console, type:
A slightly more robust version would be to put it in a closure where it's hard to override.
But can still easily be beaten turning off javascript, or even
curlorwget, or right click view source. There isn't really a robust way to do what you want.