I have a link like the one in the title in a custom 404 error page, which allows the user to go to the previous page just like with the browser's go back button. I just wanna ask if this method of linking is safe or not. I guess it is safe, but I am not sure. Thanks in regards!
我有一个链接,就像在一个自定义404错误页面的标题中一样,它允许用户访问上一个页面,就像浏览器的go back按钮一样。我只是想问一下这个链接的方法是否安全。我想它是安全的,但我不确定。谢谢你的问候!
1 个解决方案
#1
1
One use case I can say that will not be "safe" is if the user has JavaScript disabled. In that case, you would have to create the link dynamically with server-side code using the HTTP referer header field's value as your href value on the anchor element.
我可以说,如果用户禁用了JavaScript,那么这将是不安全的。在这种情况下,您必须使用HTTP referer头字段的值作为锚元素上的href值,动态地创建与服务器端代码的链接。
Another thing to consider is the never-ending back and forth loop users would get stuck in, if they came from a page with an HTTP redirect.
另一件需要考虑的事情是,如果用户来自一个具有HTTP重定向的页面,那么他们就会陷入无休止的来回循环。
Edit:
编辑:
As you said above, you can use $_SERVER['HTTP_REFERER'] but the documentation says
如上所述,您可以使用$_SERVER['HTTP_REFERER'],但文档中说
.. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
. .这是由用户代理设置的。并不是所有的用户代理都会设置这个,有些代理提供了将HTTP_REFERER作为特性修改的能力。简而言之,这是不可信的。
In reality, most browsers do set it correctly though, and seeing how this is not mission critical I think it's safe if you use it. You could also account for browsers that don't set it as follows:
实际上,大多数浏览器都正确地设置了它,我认为如果您使用它的话,它是安全的。你也可以考虑浏览器没有设置如下:
if(isset($_SERVER['HTTP_REFERRER']))
{
// Show a Back button link, if the referrer is available
echo "<a href=\"".$_SERVER['HTTP_REFERRER']."\">« Back</a>";
}
else
{
// If not, show a link to your homepage instead
echo "<a href=\"". "//www.yoursite.com" ."\">Home</a>";
}
#1
1
One use case I can say that will not be "safe" is if the user has JavaScript disabled. In that case, you would have to create the link dynamically with server-side code using the HTTP referer header field's value as your href value on the anchor element.
我可以说,如果用户禁用了JavaScript,那么这将是不安全的。在这种情况下,您必须使用HTTP referer头字段的值作为锚元素上的href值,动态地创建与服务器端代码的链接。
Another thing to consider is the never-ending back and forth loop users would get stuck in, if they came from a page with an HTTP redirect.
另一件需要考虑的事情是,如果用户来自一个具有HTTP重定向的页面,那么他们就会陷入无休止的来回循环。
Edit:
编辑:
As you said above, you can use $_SERVER['HTTP_REFERER'] but the documentation says
如上所述,您可以使用$_SERVER['HTTP_REFERER'],但文档中说
.. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
. .这是由用户代理设置的。并不是所有的用户代理都会设置这个,有些代理提供了将HTTP_REFERER作为特性修改的能力。简而言之,这是不可信的。
In reality, most browsers do set it correctly though, and seeing how this is not mission critical I think it's safe if you use it. You could also account for browsers that don't set it as follows:
实际上,大多数浏览器都正确地设置了它,我认为如果您使用它的话,它是安全的。你也可以考虑浏览器没有设置如下:
if(isset($_SERVER['HTTP_REFERRER']))
{
// Show a Back button link, if the referrer is available
echo "<a href=\"".$_SERVER['HTTP_REFERRER']."\">« Back</a>";
}
else
{
// If not, show a link to your homepage instead
echo "<a href=\"". "//www.yoursite.com" ."\">Home</a>";
}