[英]Can a Browser Plugin or Extension see the value of javascript variables running in a page
I want to use something like OAuth Implicit Grant to give the client the access token so that work can be done on the client rather than the server, thus saving me costs. 我想使用OAuth Implicit Grant之类的东西给客户端访问令牌,以便可以在客户端而不是服务器上完成工作,从而节省了成本。
I don't want to use Implicit exactly. 我不想完全使用隐式。 Instead, I want to use Authorization Grant.
相反,我想使用授权授予。 My server will be first to get the access token, so the browser won't store the token in the history, or logs.
我的服务器将首先获得访问令牌,因此浏览器不会在历史记录或日志中存储该令牌。 The server will send the token to the client via web socket.
服务器将通过Web套接字将令牌发送给客户端。 The client will now have the token in it's javascript runtime.
客户端现在将在javascript运行时中包含令牌。
I am wondering if it is possible for anyone to steal the token. 我想知道是否有人可以窃取令牌。 The client is on a trusted website, however, I am wondering if something like a Chrome extension can inspect javasceipt runtime and see the access token's value.
客户端位于受信任的网站上,但是,我想知道Chrome扩展之类的东西是否可以检查javasceipt运行时并查看访问令牌的值。
I also wondering if there are any other ways someone could get the access token out of the client's javascript runtime. 我还想知道是否有人可以通过其他方式从客户端的javascript运行时中获取访问令牌。
It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). 通常不建议使用隐式流 (某些服务器完全禁止该流)。
If you are building a new SPA , you should consider implementing the new guidance based on authorization code with PKCE. 如果要构建新的SPA ,则应考虑使用PKCE基于授权代码实施新指南。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.