堆栈内存溢出
  简体   繁体   English

阻止本地PHP / HTML文件预览在服务器上执行javascript

[英]Prevent local PHP/HTML files preview from executing javascript on server

 原文  2014-07-17 09:38:23       javascript/ php/ ajax/ security/ matomo

问题描述

I have some HTML/PHP pages that include javascript calls . 我有一些 包含javascript调用的 HTML / PHP页面
Those calls points on JS/PHP methods included into a library (PIWIK) stored onto a distant server. 这些调用点包含在存储在远程服务器上的 (PIWIK)中的JS / PHP方法上。
They are triggered using an http://www.domainname.com/ prefix to point the correct files. 它们使用http://www.domainname.com/前缀触发,以指向正确的文件。

I cannot modify the source code of the library. 我无法修改该库的源代码。

When my own HTML/PHP pages are locally previewed within a browser, I mean using ac:\\xxxx kind path, not a localhost://xxxx one, the distant script are called and do their process . 当我自己的HTML / PHP页面在浏览器中本地预览时 ,我的意思是使用ac:\\ xxxx路径,而不是localhost:// xxxx路径, 将调用远程脚本并进行处理

I don't want this to happen, only allowing those scripts to execute if they are called from a www.domainname.com page . 我不希望发生这种情况,仅当从www.domainname.com页面调用这些脚本时才允许执行这些脚本

Can you help me to secure this ? 你能帮我确保这一点吗?

One can for sure directly bypass this security modifying the web pages on-the-fly with some browser add-on while browsing the real web site, but it's a little bit harder to achieve. 可以肯定的是,在浏览真实网站时,可以通过一些浏览器插件直接绕过动态修改网页的安全性,但是这样做有点困难。

I've opened an issue onto the PIWIK issue tracker, but I would like to secure and protect my web site and the according statistics as soon as possible from this issue, waiting for a further Piwik update. 我已经在PIWIK问题跟踪器上打开了一个问题 ,但是我希望尽快从此问题中保护并保护我的网站和相应的统计信息,等待进一步的Piwik更新。

EDIT 编辑

The process I'd like to put in place would be : 我要执行的过程是:

  • Someone opens a page from anywhere than www.domainname.com 有人可以从www.domainname.com以外的任何地方打开页面
  • > this page calls a JS method on a distant server (or not, may be copied locally), >该页面在远程服务器上调用JS方法(或者不可以,可以在本地复制),
  • > this script calls a php script on the distant server >此脚本在远程服务器上调用php脚本
  • > the PHP script says "hey, from where damn do yo call me, go to hell !". > PHP脚本说:“嘿,该死的地方叫我,去死吧!”。 Or the PHP script just do not execute.... 或PHP脚本只是不执行。

I've tried to play with .htaccess for that, but as any JS script must be on a client, it blocks also the legitimate calls from www.domainname.com 我尝试使用.htaccess进行此操作,但是由于任何JS脚本都必须在客户端上,因此它还会阻止来自www.domainname.com的合法调用。

2 个解决方案

解决方案1
 1  2014-07-17 10:13:09

Untested, but I think you can use php_sapi_name() or the PHP_SAPI constant to detect the interface PHP is using, and do logic accordingly. 未经测试,但我认为您可以使用php_sapi_name()PHP_SAPI常量来检测PHP使用的接口,并据此进行逻辑处理。

Not wanting to sound cheeky, but your situation sounds rather scary and I would advise searching for some PHP configuration best practices regarding security ;) 不想听起来很厚脸皮,但是您的情况听起来很可怕,我建议您搜索一些有关安全性的PHP配置最佳实践;)

Edit after the question has been amended twice: 在问题被修改两次后进行编辑:

Now the problem is more clear. 现在问题更加清楚了。 But you will struggle to secure this if the JavaScript and PHP are not on the same server. 但是,如果JavaScript和PHP不在同一服务器上,则您将很难确保这一点。

If they are not on the same server, you will be reliant on HTTP headers (like the Referer or Origin header) which are fakeable. 如果它们不在同一服务器上,则将依赖于可伪造的HTTP标头(例如RefererOrigin标头)。

But PIWIK already tracks the referer ("Piwik uses first-party cookies to keep track some information (number of visits, original referrer, and unique visitor ID)" so you can discount hits from invalid referrers. 但是PIWIK已经跟踪了引荐来源(“ Piwik使用第一方cookie来跟踪某些信息(访问次数,原始引荐来源和唯一的访问者ID)”,因此您可以打折无效引荐来源的匹配。

If that is not enough, the standard way of being sure that the request to a web service comes from a verified source is to use a standard Cross-Site Request Forgery prevention technique -- a CSRF "token", sometimes also called "crumb" or "nonce", and as this is analytics software I would be surprised if PIWIK does not do this already, if it is possible with their architecture. 如果这还不够,那么确保对Web服务的请求来自经过验证的来源的标准方法是使用标准的跨站点请求伪造防护技术-CSRF“令牌”,有时也称为“垃圾”或“ nonce”,因为这是分析软件,如果PIWIK尚未实现此功能(如果其架构可行),我将感到惊讶。 I would ask them. 我会问他们。

Most web frameworks these days have CSRF token generators & API's you should be able to make use of, it's not hard to make your own, but if you cannot amend the JS you will have problems passing the token around. 如今,大多数Web框架都有CSRF令牌生成器和API,您应该可以使用它们,创建自己的API并不难,但是如果您无法修改JS,则在传递令牌时会遇到问题。 Again PIWIK JS API may have methods for passing session ID's & similar data around. 同样,PIWIK JS API可能具有用于传递会话ID和类似数据的方法。

解决方案2
 0  2014-07-18 13:38:08

Original answer 原始答案

This can be accomplished with a Content Security Policy to restrict the domains that scripts can be called from: 这可以通过内容安全策略来限制可以从中调用脚本的域来实现:

CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. CSP定义了Content-Security-Policy HTTP标头,该标头允许您创建可信内容源的白名单,并指示浏览器仅执行或呈现这些源中的资源。

Therefore, you can set the script policy to self to only allow scripts from your current domain (the filing system) to be executed. 因此,您可以将脚本策略设置为self以仅允许执行当前域(文件系统)中的脚本。 Any remote ones will not be allowed. 不允许任何远程的。

Normally this would only be available from a source where you get set HTTP headers, but as you are running from the local filing system this is not possible. 通常,只有从设置了HTTP标头的源中才能使用此功能,但是从本地文件系统运行时,这是不可能的。 However, you may be able to get around this with the http-equiv <meta> tag: 但是,您可以使用http-equiv <meta>标签解决此问题

Authors who are unable to support signaling via HTTP headers can use tags with http-equiv="X-Content-Security-Policy" to define their policies. 无法通过HTTP头支持信令的作者可以使用带有http-equiv="X-Content-Security-Policy"标记来定义其策略。 HTTP header-based policy will take precedence over tag-based policy if both are present. 如果同时存在基于HTTP标头的策略,则将优先于基于标记的策略。

Answer after question edit 问题后回答编辑

Look into the Referer or Origin HTTP headers. 查看RefererOrigin HTTP标头。 Referer is available for most requests, however it is not sent from HTTPS resources in the browser and if the user has a proxy or privacy plugin installed it may block this header. Referer可用于大多数请求,但是不会从浏览器中的HTTPS资源发送Referer ,并且如果用户安装了代理或隐私插件,它可能会阻止此标头。

Origin is available for XHR requests only made cross domain, or even same domain for some browsers. Origin仅适用于跨域乃至某些浏览器具有相同域的XHR请求。

You will be able to check that these headers contain your domain where you will want the scripts to be called from. 您将能够检查这些标头是否包含您要从中调用脚本的域。 See here for how to do this with htaccess . 有关如何使用htaccess进行此操作的信息,请参见此处

At the end of the day this doesn't make it secure, but as in your own words will make it a little bit harder to achieve . 归根结底,这并不能保证它的安全,但是用您自己的话来说,这会使实现起来a little bit harder to achieve

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如果启用了JavaScript,则阻止php执行 - Prevent php from executing if javascript is enabled 使用 Html Javascript PHP 在计算机上发现访问读取创建本地文件? 本地用途,不适用于 web 在线服务器 - Discover access read create LOCAL files on computer using Html Javascript PHP ? Local purpose, NOT for web online server 如何防止两个JavaScript文件同时执行 - How to prevent two JavaScript files from executing simultaneously 防止jQuery()执行javascript - Prevent jQuery() from executing javascript 阻止Javascript在Safari中执行 - Prevent Javascript from executing in Safari 有没有办法阻止Javascript执行? - Is there a way to prevent Javascript from executing? 防止恶意软件javascript执行 - prevent malware javascript from executing 防止Javascript验证失败后php执行代码,并防止JS使用某些字符 - Prevent php from executing code after Javascript validation fails and prevent some characters with JS 使用Chrome Javascript应用程序在本地驱动器上执行HTML - Executing HTML on local drive with Chrome Javascript Application 本地服务器IIS上的html文件 - html files on local Server IIS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM