客户端API安全

Question

I was implementing Olark live chat on my website and all I had to do is implement following js code.

  <script type="text/javascript" async>
      ;(function(o,l,a,r,k,y){if(o.olark)return;
      r="script";y=l.createElement(r);r=l.getElementsByTagName(r)[0];
      y.async=1;y.src="//"+a;r.parentNode.insertBefore(y,r);
      y=o.olark=function(){k.s.push(arguments);k.t.push(+new Date)};
      y.extend=function(i,j){y("extend",i,j)};
      y.identify=function(i){y("identify",k.i=i)};
      y.configure=function(i,j){y("configure",i,j);k.c[i]=j};
      k=y._={s:[],t:[+new Date],c:{},l:a};
      })(window,document,"static.olark.com/jsclient/loader.js");

      /* Add configuration calls below this comment */
      olark.identify('XXXX-XXX-XX-XXXX');
  </script>

I am wondering what technique uses Third Party JavaScript plugin like Olark , Disqus and similar companies?

As you can see olark.identify() is public available on my web page and you can find it with "inspect element". So how they handle security and bounce unwanted requests?

  olark.identify('XXXX-XXX-XX-XXXX');

Answer 1

It's a fairly broad question, but I'll make an attempt to answer:

Lots of these tools don't really block unwanted requests. For example, it's possible to embed a disqus comment block on a completely unrelated website.

I don't think this is the worst thing, because: what's the issue with comments showing up somewhere else? It was already public information to begin with.

Scripts that need to prevent exactly which domain they are embedded in tend to use CORS and the Origin header to make sure of this. Alternatively, they can use the information from document.location .

This is not 'hard' security in a sense that it completely disables mis-use, but it uses the browser sandbox to make it a lot harder to abuse.