Facebook“点赞”按钮不“喜欢”安全文件夹内的内容?
我正在实施 facebook“喜欢”按钮。一切正常,
<fb:like
href="http://www.thismydomain123.com/IlikeThisPage.php?id=123"
layout="standard"
show_faces="false"
width="450"
action="like"
colorscheme="light" />
但将可共享内容放置在安全文件夹中是行不通的(直接访问该文件夹会提示“http: //www.thismydomain123.com at mySecureFolder 需要用户名和密码..."):
<fb:like
href="http://www.parisgallery.com/mySecureFolder/IlikeThisPage.php?id=123"
layout="standard"
show_faces="false"
width="450"
action="like"
colorscheme="light" />
那么,有没有办法进行身份验证或有其他更好的解决方案?
非常感谢,
施泰尔弗鲁格
I am implementing the facebook "Like" button. works all fine with
<fb:like
href="http://www.thismydomain123.com/IlikeThisPage.php?id=123"
layout="standard"
show_faces="false"
width="450"
action="like"
colorscheme="light" />
But having sharable content placed in a secured folder, won't do (accessing the folder directly would prompt "The http://www.thismydomain123.com at mySecureFolder requires a username and password..."):
<fb:like
href="http://www.parisgallery.com/mySecureFolder/IlikeThisPage.php?id=123"
layout="standard"
show_faces="false"
width="450"
action="like"
colorscheme="light" />
So, is there a way to authenticate or any other preferable solution for this?
thanks a lot,
Steilflug
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
简而言之,不存在既有效又安全的解决方案。当用户单击页面上的“赞”按钮时,Facebook 会从其自己的服务器对您的页面执行 ping 操作,以便获取图像和文本显示在您的新闻提要上(请参阅 为什么 Facebook 出现在我的服务器日志中?)。诀窍是让 Facebook ping 进来,但阻止所有其他未经身份验证的流量。
Facebook 使用用户代理
facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php)执行 ping 操作。如果您不太关心安全性,您可以允许任何使用该用户代理字符串的代理访问您的页面。然而,值得注意的是,这是完全不安全的,因为任何代理都可以自行更改其用户代理字符串。 Facebook 也不保证他们的用户代理字符串不会改变,因此这种方法可能随时停止工作。另一种选择是简单地允许 Facebook IP 地址上的任何人进行访问,而无需进行身份验证。假设 Facebook 对其 ping 的 IP 保持一致,则此方法可行,但在这方面同样无法保证。如果您只希望 Facebook 的某些功能和/或员工能够在未经验证的情况下查看您的内容,或者 Facebook 释放其对这些 IP 块的所有权,这也可能是不安全的。
我想你真正的问题是你试图拥有同时受保护和可共享的内容,这是一种悖论。解决此问题的唯一真正解决方案是允许任何人读取您的内容。
In short, no there is not a solution that would both work and be secure. When a user clicks the 'like' button on a page, Facebook pings your page from its own servers in order to get images and text to display on your news feed (see Why does Facebook appear in my server logs?). The trick is to let Facebook pings in but block all other traffic that isn't authenticated.
Facebook pings using the user agent
facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php). If you aren't too concerned about security you could allow access to your pages for any agent using that user agent string. It's important to note, however, that this is entirely insecure because any agent can change their user agent string on their own accord. Facebook also offers no guarantee that their user agent string won't change so this method could stop working at any moment.Another option would be to simply allow anyone on a Facebook IP address access without authentication. This would work assuming Facebook is consistent about the IPs that it pings from, but again there is no guarantee on this front. This is also potentially insecure if you only want some Facebook features and/or employees to be able to see your content without validation or if Facebook releases their ownership of those IP blocks.
I suppose your real problem is that you're trying to have content that is at the same time both protected and sharable which is a sort of a paradox. The only true solution to this problem would be to allow anyone read access to your content.