源地图安全
[英]Source maps security
问题描述
Source maps are extremely helpful when stepping through minified library code, among other things. 
逐步浏览缩小的库代码时, 源地图非常有用。 The first few lines of a .js file using source maps could look like this by default: 默认情况下,使用源映射的.js文件的前几行如下所示:
/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery.min.map
*/
If you don't have jquery.min.map in the same directory, a browser that supports source mapping will make a redundant http request resulting in a 404 error ( sounds familiar, favicon anyone? ). 如果您在同一目录中没有jquery.min.map ,则支持源映射的浏览器将发出一个冗余的http请求,从而导致404错误( 听起来很熟悉,有人喜欢吗? )。
I've noticed that sourceMappingURL could point to another domain; 我注意到sourceMappingURL可以指向另一个域。 I'm not advocating the practice but it seems peculiar that it wouldn't be subject to CORS: 我不主张这样做,但似乎不受CORS的限制是奇怪的:
/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.map
*/
Are mapped unminified sources safe? 映射未缩小的来源是否安全? ie if in the example above the mapped server were compromised and malicious code added to the source, could/would it get executed? 例如,如果在上面的示例中,映射的服务器遭到破坏,并且恶意代码被添加到源中,它是否可以执行? What about if you're debugging code and stepping through it? 如果您要调试代码并逐步执行代码,该怎么办? I can't find any implementation details that would answer this. 我找不到任何可以回答此问题的实现细节。
1 个解决方案
解决方案1
5 已采纳 2013-09-27 00:16:56
When you step through code, you're executing the minified code, not the code in the source map. 单步执行代码时,您正在执行的是缩小的代码,而不是源映射中的代码。 The source map is just used for display in the debugger. 源映射仅用于在调试器中显示。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.