javascript仅允许重定向同一域内的URL
[英]javascript allow redirection only for urls inside same domain
问题描述
I have a javascript which handles a "redirect after login" concern by setting 
我有一个javascript,通过设置处理“登录后重定向”问题
window.location = url;
where "url" is provided by a GET parameter. 其中“url”由GET参数提供。 This sounds a bad practice because it allows to redirect outside of current domain. 这听起来很糟糕,因为它允许重定向到当前域之外。
So I would like to know how if there is an easy and safe way to check if "url" is an absolute url inside same domain and allow redirection only in this case . 所以我想知道如果有一种简单而安全的方法来检查“url”是否是同一域内的绝对URL并且仅在这种情况下允许重定向 。 Currently I just check if url starts with "/" and doesn't contain "http" but I'm not sure it's enough to completely protect against open redirections. 目前我只是检查url是否以“/”开头并且不包含“http”但我不确定它是否足以完全防止打开重定向。
if (url[0] === '/' && url.indexOf('http') === -1)
{
window.location = url;
}
As I do this on client side I'm aware it's still not perfect but previously there were no protection at all. 当我在客户端这样做时,我知道它仍然不完美,但之前根本没有保护。
I can use good old JS or jquery. 我可以使用旧的JS或jquery。 I also have to support IE9. 我还必须支持IE9。
late edit : maybe I didn't mentioned it clearly enough but the "url" should be an absolute url, without domain specification. 迟编辑:也许我没有清楚地提到它,但“url”应该是一个绝对的URL,没有域规范。 For example I have this kind of address (full address with url parameter at end) : http://example.com/Account/Login.aspx?ReturnUrl=%2fCheckout.aspx 例如,我有这种地址(结尾带有url参数的完整地址): http : //example.com/Account/Login.aspx?ReturnUrl =%2fCheckout.aspx
I need to avoid : http://example.com/Account/Login.aspx?ReturnUrl=http://otherdomain/badintention.aspx 我需要避免: http : //example.com/Account/Login.aspx?ReturnurnUrl = http : //otherdomain/badintention.aspx
This is why I told above I currently check if it starts by "/" but I'm not sure it's enough to get safe. 这就是为什么我告诉上面我目前检查它是否以“/”开头,但我不确定它是否足够安全。 So I can't use some of your suggestions. 所以我不能使用你的一些建议。
Thanks 谢谢
3 个解决方案
解决方案1
4 2015-05-11 16:42:06
解决方案2
2 2015-05-11 16:42:34
Can you just issue an HTTP 307 temporary redirect from the server and not have to worry about client code? 您是否可以从服务器发出HTTP 307临时重定向,而不必担心客户端代码? It seems more secure that way. 这样看起来更安全。 http://en.wikipedia.org/wiki/URL_redirection http://en.wikipedia.org/wiki/URL_redirection
Otherwise, your javascript could also check against window.location.hostname. 否则,您的javascript也可以检查window.location.hostname。
EDIT: if you're only going to allow relative URLs, it seems like checking for '/' at the beginning should be fairly safe as long as you're 100% sure it's a URL, but you can probably even add the window.location.hostname to the beginning to be absolutely sure you're squashing the possibility of semantic trickery. 编辑:如果你只是允许相对的URL,看起来在开始时检查'/'应该是相当安全的,只要你100%确定它是一个URL,但你甚至可以添加窗口。 location.hostname一开始就绝对肯定你正在压制语义欺骗的可能性。
解决方案3
2 2015-05-11 16:42:40
you can fetch the current domain name with window.document.domain and check if the url provided by GET operation has this? 您可以使用window.document.domain获取当前域名,并检查GET操作提供的URL是否具有此功能?
Sorry it should ideally be a comment but do not have enough privileges. 对不起,它理想情况下应该是评论,但没有足够的权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.