简体繁体 English

浏览器插件或扩展程序能否查看页面中运行的javascript变量的值

[英]Can a Browser Plugin or Extension see the value of javascript variables running in a page

原文 2019-01-25 07:56:41 0 1 javascript/ security/ google-chrome-extension/ oauth

I want to use something like OAuth Implicit Grant to give the client the access token so that work can be done on the client rather than the server, thus saving me costs. 我想使用OAuth Implicit Grant之类的东西给客户端访问令牌，以便可以在客户端而不是服务器上完成工作，从而节省了成本。

I don't want to use Implicit exactly. 我不想完全使用隐式。 Instead, I want to use Authorization Grant. 相反，我想使用授权授予。 My server will be first to get the access token, so the browser won't store the token in the history, or logs. 我的服务器将首先获得访问令牌，因此浏览器不会在历史记录或日志中存储该令牌。 The server will send the token to the client via web socket. 服务器将通过Web套接字将令牌发送给客户端。 The client will now have the token in it's javascript runtime. 客户端现在将在javascript运行时中包含令牌。

I am wondering if it is possible for anyone to steal the token. 我想知道是否有人可以窃取令牌。 The client is on a trusted website, however, I am wondering if something like a Chrome extension can inspect javasceipt runtime and see the access token's value. 客户端位于受信任的网站上，但是，我想知道Chrome扩展之类的东西是否可以检查javasceipt运行时并查看访问令牌的值。

I also wondering if there are any other ways someone could get the access token out of the client's javascript runtime. 我还想知道是否有人可以通过其他方式从客户端的javascript运行时中获取访问令牌。

1 个解决方案

It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). 通常不建议使用隐式流 （某些服务器完全禁止该流）。

If you are building a new SPA , you should consider implementing the new guidance based on authorization code with PKCE. 如果要构建新的SPA ，则应考虑使用PKCE基于授权代码实施新指南。

可以从JavaScript文件中看到函数，但不能看到变量 - Can see function from javascript file but not variables

通过 Chrome 扩展在页面上运行 JavaScript - Running JavaScript on a Page via Chrome Extension

我无法让我的 firefox 浏览器扩展工作 - 特别是让 javascript 文件在页面加载时执行 - I can't get my firefox browser extension to work - specifically getting the javascript file to execute on page load

javascript代码未运行，浏览器上的空白页 - javascript code not running, blank page on browser

javascript在刷新页面后保留隐藏输入变量的值（F5或单击浏览器的刷新按钮） - javascript retaining the value of hidden input variables even after refreshing page ( F5 or clicking refresh button of browser)

将Boomerang实现为浏览器扩展/插件 - Implementing Boomerang into a browser extension/plugin

javascript循环冻结浏览器，在循环之前无法看到更改 - javascript loop freezes browser and can't see change before loop

如何让浏览器看到 CSS 和 Javascript 的变化？ - How can I make the browser see CSS and Javascript changes?

Eclipse Javascript插件扩展 - Eclipse Javascript Plugin extension

页面加载完成后，在Google Chrome扩展程序中运行javascript - Running javascript in the Google Chrome extension after a page has done loading

暂无

暂无

声明:本站的技术帖子网页，遵循CC BY-SA 4.0协议，如果您需要转载，请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 可以从JavaScript文件中看到函数，但不能看到变量 - Can see function from javascript file but not variables 通过 Chrome 扩展在页面上运行 JavaScript - Running JavaScript on a Page via Chrome Extension 我无法让我的 firefox 浏览器扩展工作 - 特别是让 javascript 文件在页面加载时执行 - I can't get my firefox browser extension to work - specifically getting the javascript file to execute on page load javascript代码未运行，浏览器上的空白页 - javascript code not running, blank page on browser javascript在刷新页面后保留隐藏输入变量的值（F5或单击浏览器的刷新按钮） - javascript retaining the value of hidden input variables even after refreshing page ( F5 or clicking refresh button of browser) 将Boomerang实现为浏览器扩展/插件 - Implementing Boomerang into a browser extension/plugin javascript循环冻结浏览器，在循环之前无法看到更改 - javascript loop freezes browser and can't see change before loop 如何让浏览器看到 CSS 和 Javascript 的变化？ - How can I make the browser see CSS and Javascript changes? Eclipse Javascript插件扩展 - Eclipse Javascript Plugin extension 页面加载完成后，在Google Chrome扩展程序中运行javascript - Running javascript in the Google Chrome extension after a page has done loading

相关标签

粤ICP备18138465号 © 2020-2024 STACKOOM.COM