当前位置: 文江博客 话题详情

防止链接其他网站的 css

发布于 2024-11-13 09:30:02 字数 107 浏览 8 评论 0 原文

我的网站上有一个 commerce css。我使用 IIS,供应商说其他人可以使用我的 css 字体,因为他们知道 url。是否可以设置服务器或其他东西,以便只有我的网站可以使用它?是关于cufon的

原文

I have a comerce css on my site. I use IIS and vendor says that others can use my css fonts because they know the url. Is it possible to set server or something so that only my site can use it ? It is about cufon

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

束缚m 2024-11-20 09:30:03

如果您使用的是 IIS7 或更高版本,则无需编写任何自定义代码,只需使用 此处但是,作为简单的引用检查,它具有其他答案中讨论的缺点。

(有关 IIS URL 重写的介绍,请参阅此处.)

摘自第一个链接:

现在让我解释一下我们做了什么
在此属性页上:

  • 将规则名称指定为“防止盗取”。这一定是一个
    独特的规则。
  • 每个请求的 URL 都会被匹配,因为模式是“.*”并且是
    正则表达式。
  • 添加了两个条件并指定了要满足的两个条件
    (参见“逻辑分组”是“匹配
    全部”)
  • HTTP_REFERER 不匹配空,因为它可以直接引用
    图片
  • HTTP_REFERER 与我自己的网站 http://www.contoso.com

如果满足以上两个条件
满意(显然意味着
请求来自任何其他
网站),我们只是将其重定向到
选取一些其他图像,可以是
任何东西就是这样。所以没有
即使只写一行代码,我们
能够防止热链接。

我可能会定制您的重写配置,以便它仅在您的字体 URL(以及其他相关的静态资产)上执行,而不是在每个传入请求上执行。

如果您没有远程桌面访问权限或只是编辑 web.config,您的重写规则可能类似于:

    <rule name="block font leaching" stopProcessing="true">
      <match url="myFontFile.woff" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTP_REFERER}" pattern="^$" /><!-- no referrer -->
        <add input="{HTTP_REFERER}" pattern="yourdomain.com" negate="true" /><!-- or not your site -->
      </conditions>
      <action type="AbortRequest" /><!-- block the request -->
    </rule>

在本示例中,我选择完全阻止请求(通过 AbortRequest< /code>),但是您也可以重定向到带有友好通知的页面。

If you are on IIS7 or greater you can perform a Referer check without writing any custom code, simply by using IIS URL Rewrite in the manor discussed here. However as simply a Referer check, it has the shortcomings discussed in the other answers given.

(For introduction to IIS URL Rewrite see here.)

Excerpt from the first link:

Let me now explain what we have done
on this property page:

  • Specified name of the rule as "Prevent Leeching". This must be a
    unique rule.
  • Every requested URL will be matched as the pattern is ".*" and is a
    regular expression.
  • Added two condition and specified both the condition to be satisfied
    (see "Logical Grouping" is "Match
    All")
  • HTTP_REFERER does not match empty as it can be a direct reference to the
    image
  • HTTP_REFERER does not match my own site http://www.contoso.com

If the above two conditions are
satisfied (apparently meaning the
request is coming from any other
site), we are just redirecting it to
pick up some other image which can be
anything And that's it. So without
writing even a single line of code we
are able to prevent hot-linking.

I would probably tailor your Rewrite configuration so that it is only performed on your font URLs (and other static assets of concern) rather than every single incoming request.

If you don't have remote desktop access or are just editing web.config, your rewrite rule will probably look something like:

    <rule name="block font leaching" stopProcessing="true">
      <match url="myFontFile.woff" />
      <conditions logicalGrouping="MatchAny">
        <add input="{HTTP_REFERER}" pattern="^$" /><!-- no referrer -->
        <add input="{HTTP_REFERER}" pattern="yourdomain.com" negate="true" /><!-- or not your site -->
      </conditions>
      <action type="AbortRequest" /><!-- block the request -->
    </rule>

In this example I choose the block the request entirely (through AbortRequest), however you could just as well have redirected to a page with a friendly notice.

回复 原文
天生の放荡 2024-11-20 09:30:03

不可靠。为了提供嵌入字体,它们需要可供公众阅读,并可由 CSS 引用。

您可以做的是创建一个 asp.net 页面,或者一个处理程序,它接受字体文件的参数,从网站中的某个位置读取文件(APP_DATA 是放置它们的好地方 - 您无法浏览到 APP_DATA )然后吐出来。在脚本中,您可以检查 HTTP_REFERER 服务器端变量,如果它为空,或者来自您的站点,则您将提供文件服务器,如果不是,则不会。

MSDN 有一个如何在 C# 中提供二进制文件的示例。您需要确保 MIME 类型正确,但请注意,这可能会破坏浏览器或代理提供的任何缓存。这也不会阻止人们通过在浏览器中输入 URL 并将其保存在本地来下载字体,但如果带宽是问题所在,那么这并不是真正的问题。

如果您使用的是 IIS7,您可以编写一个 Http 模块来为您执行引荐来源网址检查,Scott Hansleman 为 图像盗取预防 很久以前,您可以编辑它以符合您的目的。

Not reliably. In order to serve up the embedded fonts they need to readable by the public, and referable by your CSS.

What you could do is create an asp.net page, or a handler which takes a parameter of the font file, reads the file from somewhere in your web site (APP_DATA is a good place to put them - you can't browse to APP_DATA) and spits it out. In the script you could check the HTTP_REFERER server side variable and if it is either blank, or comes from your site you server the file, if it doesn't you don't.

MSDN has an example of how to serve up a binary file in C#. You'll need to ensure you get the MIME type right, however be aware this would probably break any caching provided by the browser or proxies. This also wouldn't stop people downloading the fonts by typing the URL into their browser and saving them locally, but if bandwidth is the concern that's not really going to be a problem.

If you're on IIS7 you could write an Http Module which would do the referrer check for you, Scott Hansleman wrote one for image leeching prevention quite a while ago, you could edit that to match your purposes.

回复 原文
奶气 2024-11-20 09:30:03

您可以创建一个 http 处理程序来提供 css 文件。在自定义 http 处理程序中,检查 request.Url.Host 是否等于 request.UrlReferrer.Host。如果它们不匹配,请将响应设置为 404 或提供一个空的 css 文件。

这未经测试,但应该接近您的需要。
您可以添加一个 css 链接,例如:

<link rel="Stylesheet" href="CustomCSSHandler.ashx?file=site.css" />


public class CustomCSSHandler : IHttpHandler 
{
    public void ProcessRequest(HttpContext ctx) 
    {
        HttpRequest req = ctx.Request;
        //Get the file from the query stirng
        string file = req.QueryString["file"];
        //Find the actual path
        string path = ctx.Server.MapPath(file); //Might need to modify location of css

        //Limit to only css files
        if(Path.GetExtension(path) != ".css")
            ctx.Response.End();

        if (req.UrlReferrer != null && req.UrlReferrer.Host.Length > 0)
        {
            if (CultureInfo.InvariantCulture.CompareInfo.Compare(req.Url.Host, req.UrlReferrer.Host, CompareOptions.IgnoreCase) != 0)
            {
                path = ctx.Server.MapPath("~/thiswontexist.css");
            }
        }   

        //Make sure file exists
        if(!File.Exists(path))
        {
            ctx.Response.Status = "File not found";
            ctx.Response.StatusCode = 404;
            ctx.Response.End(); 
        }           

        ctx.Response.StatusCode = 200;
        ctx.Response.ContentType = "text/css";
        ctx.Response.WriteFile(path);
    }
}

You could make an http handler to serve up css files. In your custom http handler, check that the request.Url.Host equals request.UrlReferrer.Host. If they don't match, set the response to 404 or serve up an empty css file.

This is untested but should be close to what you would need.
You would add a link to css like: 

<link rel="Stylesheet" href="CustomCSSHandler.ashx?file=site.css" />


public class CustomCSSHandler : IHttpHandler 
{
    public void ProcessRequest(HttpContext ctx) 
    {
        HttpRequest req = ctx.Request;
        //Get the file from the query stirng
        string file = req.QueryString["file"];
        //Find the actual path
        string path = ctx.Server.MapPath(file); //Might need to modify location of css

        //Limit to only css files
        if(Path.GetExtension(path) != ".css")
            ctx.Response.End();

        if (req.UrlReferrer != null && req.UrlReferrer.Host.Length > 0)
        {
            if (CultureInfo.InvariantCulture.CompareInfo.Compare(req.Url.Host, req.UrlReferrer.Host, CompareOptions.IgnoreCase) != 0)
            {
                path = ctx.Server.MapPath("~/thiswontexist.css");
            }
        }   

        //Make sure file exists
        if(!File.Exists(path))
        {
            ctx.Response.Status = "File not found";
            ctx.Response.StatusCode = 404;
            ctx.Response.End(); 
        }           

        ctx.Response.StatusCode = 200;
        ctx.Response.ContentType = "text/css";
        ctx.Response.WriteFile(path);
    }
}
回复 原文
蓦然回首 2024-11-20 09:30:02

你可以做的事情:

  1. 放弃。如果您的用户可以看到它,他们就可以窃取它。同样,不要指望保护您的网站不让用户查看其源代码。
  2. 如果字体是矢量字体,请对您支持的所有字体大小进行光栅化,但不要对其他字体进行光栅化。这可能会对用户的浏览体验产生负面影响。这使得窃取你的字体所提供的有用数据较少,但实际上并不能阻止盗窃。
  3. 将字体的所有使用替换为位图。在这种情况下,需要做更多的工作,并且只向用户提供字体的光栅化版本(不一定是所有字母)。您可以创建一个特殊的文本UserControl,将位图粘贴到您放置的任何位置,因此实际上不需要做或维护太多工作。不过,它确实增加了页面的带宽要求。它还迫使您手动进行一些通常由浏览器处理的布局,这可能会增加大量的维护成本或最小的维护成本,具体取决于您网站的布局如何工作。与#2 一样,它可能会对用户的浏览体验产生负面影响。它还会损害可访问性,尽管这并不荒谬,因为您的 UserControl 可能会使用替代文本来复制文本。

我强烈推荐#1。

Things you can do:

  1. Give up. If your users can see it, they can steal it. Similarly, don't expect to protect your site from users viewing its source code.
  2. If the font is a vector font, rasterize the font for all the font sizes you support, but no others. This may have a negative impact on browsing experience of your users. This makes stealing your font give less useful data, but doesn't actually stop the theft.
  3. Replace all use of the font with bitmaps. Much more work to steal in that case, and only gives the user rasterized version of font (and not necessarily all the letters). You can create a special text UserControl that sticks a bitmap where-ever you put it, so this isn't actually that much work to do or maintain. It does increase the bandwidth requirements for your page, though. It also forces you to do some of the layout by hand that is normally handled by the browser, which could add heavy maintenance costs or minimal maintenance costs, depending on how your site's layout works. And as with #2, it can have a negative impact on browsing experience of your users. It also hurts accessibility, though not absurdly so since your UserControl will presumably use alt text to duplicate the text.

I strongly recommend #1.

回复 原文
~没有更多了~

关于作者

站稳脚跟

暂无简介

文章
评论
29 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

櫻之舞

文章 0 评论 0

弥枳

文章 0 评论 0

m2429

文章 0 评论 0

寻找一个思念的角度

文章 0 评论 0

野却迷人

文章 0 评论 0

我怀念的。

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文