在 Chrome 扩展程序中保护网站 API 密钥
[英]Securing website API keys in Chrome extensions
问题描述
I'm building a Chrome extension using the Remember the Milk web API.
我正在使用Remember the Milk web API 构建Chrome 扩展程序。 In order to call methods in this API, I need to sign my requests using an API key and a "shared secret" key.为了调用此 API 中的方法,我需要使用 API 密钥和“共享秘密”密钥对我的请求进行签名。
My concern is that any user could just crack open the extension and pull out these values if I include them in the published extension.我担心的是,如果我将它们包含在已发布的扩展中,任何用户都可以打开扩展并提取这些值。 This may or may not pose a security rise for the user, but he or she could certainly use/abuse my API key and maybe get it revoked.这可能会或可能不会为用户带来安全性提升,但他或她肯定可以使用/滥用我的 API 密钥并可能将其撤销。
Is this something I should be concerned about?这是我应该关心的事情吗? Are there any best practices for protecting this type of information in published JavaScript applications?是否有任何最佳做法可以保护已发布的 JavaScript 应用程序中的此类信息?
1 个解决方案
解决方案1
23 已采纳 2011-12-20 15:02:35
Ultimately you can't truly hide anything within a JS application that's run in the browser;最终,您无法真正隐藏在浏览器中运行的 JS 应用程序中的任何内容; you can obfuscate or minify the code, which will distract casual users from snooping around, but in the end its always going to be possible to grab your plaintext secret.您可以混淆或缩小代码,这会分散临时用户的注意力,使其无法四处窥探,但最终总有可能获取您的明文秘密。
If you really need to prevent this from happening, then one option is to pass calls from your extension to a server you have access to.如果您确实需要防止这种情况发生,那么一种选择是将呼叫从您的分机传递到您有权访问的服务器。 Your server can add any paramters required for signing, forward the call on to the relevant API, and pass the API's response back to the user.您的服务器可以添加签名所需的任何参数,将调用转发到相关的 API,并将 API 的响应传回给用户。 Of course this adds bandwidth / uptime constraints which you may not want.当然,这会增加您可能不想要的带宽/正常运行时间限制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.