Javascript禁止访问直接在浏览器中键入的页面
[英]Javascript Prohibit access to a page that is directly typed in the browser
问题描述
如果网址来自iframe,是否可以禁止访问直接在浏览器中键入但不禁止访问的页面?
1 个解决方案
解决方案1
1 2018-09-29 10:38:06
Any client-side check you do can be bypassed. 
您所做的任何客户端检查都可以绕过。 For a robust mechanism, you'll need to involve a server: Have clicking on the link send a message to the server with a browser signature (including IP), which you record with the date/time. 为了使机制更健壮,您需要使用服务器:单击链接将带有浏览器签名(包括IP)的消息发送到服务器,并以日期/时间进行记录。 When the protected page is requested, check the browser signature in the request and ensure it matches a signature received within an acceptable time prior to the request. 当请求受保护的页面时,请检查请求中的浏览器签名,并确保它与在请求之前的可接受时间内收到的签名匹配。 This can also be bypassed, just a bit less easily. 这也可以绕开,只是不那么容易。
In terms of client-side-only mechanisms (which, again, are easily bypassed): 就仅客户端机制而言(再次可以轻松绕过):
You'll probably get people pointing you at
document.referrer, but it's extremely easy to spoof and I wouldn't rely on it.您可能会让人们指着document.referrer,但是欺骗非常容易,我不会依赖它。The only other way I can think of is if both pages are in the same origin.
我能想到的唯一其他方法是,如果两个页面都来自同一原点。 If so, when the user clicks the link in the iframe, you can set a value in localStorage:如果是这样,当用户单击iframe中的链接时,可以在localStorage设置一个值:// (In a click handler on the link) localStorage.setItem("clicktime", Date.now());...and in the page:
...并在页面中: var MAX_DURATION = 500; // milliseconds var clicktime = localStorage.getItem("clicktime"); if (!clicktime || isNaN(clicktime) || Date.now() - MAX_DURATION > 500) { // Disallow access by (for instance) redirecting or similar }
...but again, client-side mechanisms are easily bypassed. ...但是同样,客户端机制很容易被绕开。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.