Javascript Prohibit access to a page that is directly typed in the browser
Question
如果网址来自iframe,是否可以禁止访问直接在浏览器中键入但不禁止访问的页面?
1 answers
solution1
1 2018-09-29 10:38:06
Any client-side check you do can be bypassed. For a robust mechanism, you'll need to involve a server: Have clicking on the link send a message to the server with a browser signature (including IP), which you record with the date/time. When the protected page is requested, check the browser signature in the request and ensure it matches a signature received within an acceptable time prior to the request. This can also be bypassed, just a bit less easily.
In terms of client-side-only mechanisms (which, again, are easily bypassed):
You'll probably get people pointing you at
document.referrer, but it's extremely easy to spoof and I wouldn't rely on it.The only other way I can think of is if both pages are in the same origin. If so, when the user clicks the link in the iframe, you can set a value in
localStorage:// (In a click handler on the link) localStorage.setItem("clicktime", Date.now());...and in the page:
var MAX_DURATION = 500; // milliseconds var clicktime = localStorage.getItem("clicktime"); if (!clicktime || isNaN(clicktime) || Date.now() - MAX_DURATION > 500) { // Disallow access by (for instance) redirecting or similar }
...but again, client-side mechanisms are easily bypassed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.