[英]Prevent direct access to a php file that would be loaded in another server
I have this file style.php that would be used as the main css styling of several domains.我有这个文件 style.php 将用作几个域的主要 css 样式。 This style.php file will on be available on 'website 1' while the remaining website will load it from website 1.
此 style.php 文件将在“网站 1”上可用,而其余网站将从网站 1 加载它。
For website 1.对于网站 1。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="style.php">
</head>
<body>
</body>
For website 2.对于网站 2。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>
</body>
For website 3.对于网站 3。
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title> Website one </title>
<link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>
</body>
So goes for several other websites.其他几个网站也是如此。
Now this is want to I want to do, I don't want a direct access to style.php o the website 1. For example, if a user visit https://website1.com/style.php , he shouldn't have access to it.现在这是我想做的事情,我不想直接访问网站 1 的 style.php。例如,如果用户访问https://website1.com/style.php ,他不应该可以访问它。
Here is the problem, when I use .htaccess to deny access to it, website 2, and 3 won't be able to load the css.这就是问题所在,当我使用 .htaccess 拒绝访问它时,网站 2 和 3 将无法加载 css。
Is there any possible tweak that I can make to the style.php so that when a user visits https://website1.com/style.php , he won't be able to access it but when it used as a styling sheet one website 2, and 3, it would load the css normally?我可以对 style.php 进行任何可能的调整,以便当用户访问https://website1.com/style.php时,他将无法访问它,但当它用作样式表时网站2和3,它会正常加载css吗?
The short answer is "no".最简洁的答案是不”。
The longer answer is that you have an incorrect mental model of what is currently happening.更长的答案是你对当前正在发生的事情有一个不正确的心理模型。 You are imagining that when you reference the stylesheet from website 2, the request is in some way "coming from" that website.
您想象当您从网站 2 引用样式表时,请求以某种方式“来自”该网站。 What is actually happening is this:
实际发生的是这样的:
At no point do your two servers talk to each other;您的两台服务器在任何时候都不会相互通信; they are always receiving requests from, and sending responses to, the browser.
他们总是从浏览器接收请求并向浏览器发送响应。 If the server refuses the request at step 5, the browser will never know what the stylesheet contained, so will just render the page without those styles.
如果服务器在第 5 步拒绝请求,浏览器将永远不会知道样式表包含什么,因此只会呈现没有这些样式的页面。
With this in mind, we can re-cast the question:考虑到这一点,我们可以重新提出问题:
Can I determine why a browser is requesting a URL, to distinguish between a user typing the URL into the address bar from the stylesheet being used on one of my sites.
我能否确定浏览器请求 URL 的原因,以区分在地址栏中键入 URL 的用户与在我的一个站点上使用的样式表。
The answer is maybe : there is an HTTP header that browsers can send called "REFERER" (yes, that's a typo for "referrer", but one that happened so long ago it became standard), which gives the URL the request "came from" in some sense.答案可能是:浏览器可以发送一个名为“REFERER”的 HTTP 标头(是的,这是“referrer”的拼写错误,但很久以前它就成为标准了),它为 URL 提供了请求“来自“ 在某种意义上。 For a directly typed URL, it will always be blank;
对于直接键入的 URL,它将始终为空; for a stylesheet URL, it will probably be the containing page.
对于样式表 URL,它可能是包含页面。 You can access it in PHP as
$_SERVER['HTTP_REFERER']
, or in an Apache configuration by putting RewriteCond %{HTTP_REFERER} some-pattern-to-match
in front of a RewriteRule
.您可以在 PHP 中以
$_SERVER['HTTP_REFERER']
形式访问它,或者在 Apache 配置中通过将RewriteCond %{HTTP_REFERER} some-pattern-to-match
放在RewriteRule
前面来访问它。
However , browsers have recently become stricter about passing referrer information between domains, for privacy reasons, so it may be blank in your case.但是,出于隐私原因,浏览器最近对在域之间传递引荐来源信息变得更加严格,因此在您的情况下它可能是空白的。
It's also really important to note that everything in the request is under full control of the user, and everything in the response is fully visible to the user .同样重要的是要注意请求中的所有内容都在用户的完全控制之下,并且响应中的所有内容对用户都是完全可见的。 It's trivial to send a request with a fake REFERER header once you figure out that's what's needed.
一旦你发现这是需要的,发送带有假 REFERER 标头的请求是微不足道的。 It's even more trivial to look at the stylesheet while you're on the site that uses it - in most browsers, pressing F12 will pop up "developer tools" where you can see everything the server sent.
在使用样式表的站点上查看样式表更加简单——在大多数浏览器中,按 F12 将弹出“开发人员工具”,您可以在其中查看服务器发送的所有内容。
So if you're hoping to keep the styles in some way "secret", you're out of luck;因此,如果您希望以某种方式“保密”这些样式,那您就不走运了。 the user needs to be able to see the styles for their browser to use them.
用户需要能够看到浏览器的样式才能使用它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.