隐藏在JavaScript代码中的URL（PHP生成的URL）

Question

I am looking for a solution to the following:

I have a piece of JS code, that performs a redirection to a URL that is constructed with PHP, and that redirection is only done when the user presses a button on a confirmation dialog.

The code is, as follows:

function one() {
    window.location.replace("<?php 

if($new_redir == "1")  {

echo "$new_second_redirect_URL/?token=$hash";

}

else  {

echo "$second_redirect_URL/?token=$hash";

}

?>");
}

It works perfectly fine. What I wanna do is conceal the URL that is displayed in the source code when a user opens the page.

What would be the best way to do that?

Answer 1

You're thinking too much into this to be honest.

If they want to avoid the confirmation screen and get the URL from the source, there's not really much you could do.

The best really is possibly performing an AJAX request on confirmation and getting a CSRF token based URL from the response and using that, but that could end up being overkill as well.

You could also make it into an actual <form></form> form with a few hidden fields (again, such as a CSRF token), and perform the post validation onclick. If it a success - redirect them.

UPDATE:

Use robots.txt to stop bots Build the QS with JS to stop most bots, something like:

var csrftoken='XJIWHEOU324uipHFOFUHR'; 
var url="http://url.com/page.php?token="; 
url=url+csrftoken;

What you could also do, is something like us actually, although for your use case it could be too much. Log every single page load into the DB, and check if if they're a first time visitor to the page after confirmation.

AJAX call (jQuery example):

$.post( "url_to_backend_page_to_get_url", {hasSubmittedForm:"true"}, function( data ) {
 window.location.href = data;
});