将信息从源站点传递到 JavaScript 应用程序链接的安全方法?
[英]Secure way to pass information from source site to a JavaScript application link?
问题描述
So I have built a JavaScript website (call this "SapUI5 application").
所以我建立了一个 JavaScript 网站(称之为“SapUI5 应用程序”)。 I need this application to be opened from a third party website (call this "Job site") which I have no access to the source code, the only thing I can do there is edit one field (where I put my link), and there I can write html, Javascript code to format my link.我需要从第三方网站(称为“求职网站”)打开此应用程序,我无法访问源代码,我唯一能做的就是编辑一个字段(我放置链接的地方),并且在那里我可以编写 html、Javascript 代码来格式化我的链接。 The problem is, my SapUI5 application needs 1 information (an int) from the Job site, and what I did is I use "getElementById" in the Job site field, then I pass it (concatenate) to my link.问题是,我的 SapUI5 应用程序需要来自工作站点的 1 个信息(一个整数),而我所做的是在工作站点字段中使用“getElementById”,然后将它传递(连接)到我的链接。 It is working fine, but the problem is that if somebody edit the link by hand, they can access other people's data that are in my SapUI5 application store.它工作正常,但问题是如果有人手动编辑链接,他们可以访问我的 SapUI5 应用程序商店中其他人的数据。 I guess there should be a way to send this information (integer) through more secure way, but without Source code I have no idea what are my options.我想应该有一种方法可以通过更安全的方式发送此信息(整数),但如果没有源代码,我不知道我有什么选择。
Simply put: There is a field in the Job Site that can process html, javascript code, people will open it, and it needs to pass information to my link, to know which user opened the link.简单的说:Job Site中有一个字段,可以处理html,javascript代码,人们会打开它,它需要传递信息给我的链接,知道哪个用户打开了链接。
2 个解决方案
解决方案1
1 2019-11-29 12:37:14
I don't know any way to protect it on client side.我不知道有什么方法可以在客户端保护它。 Expert user can manipulate client side encryption.专家用户可以操纵客户端加密。 You can add some challenge with js for encrypt user id but, it will not stop expert users.您可以使用 js 添加一些挑战来加密用户 ID,但它不会阻止专家用户。 You need add encrypted variable in backend side.您需要在后端添加加密变量。 May be you can publish Job site with proxy server and manipulate response for adding encrypted variable with proxy server (for example nginx).也许您可以使用代理服务器发布工作站点并操纵响应以使用代理服务器(例如 nginx)添加加密变量。
解决方案2
0 2019-12-05 11:27:32
just with client side scripting there is no good way.仅使用客户端脚本没有好方法。 you need to add an authentication method.您需要添加身份验证方法。 ideally single sign on, so that the user doesn't recognize it.理想情况下是单点登录,这样用户就无法识别它。
are you able to use javascript to generate the url from the application where you don't have any access?您是否能够使用 javascript 从您无权访问的应用程序生成 url? I can imagine that you can generate a key with current date time etc. and recheck this key on your webservice you program, where you have access at... but this is not pretty clean and secure我可以想象你可以生成一个包含当前日期时间等的密钥,并在你编程的网络服务上重新检查这个密钥,你可以访问...但这不是很干净和安全
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.