I have an html file index.html (in my server say abc.com) which accesses xyz.js like
我有一个html文件index.html(在我的服务器中说abc.com),它访问xyz.js之类的
<script type="text/javascript" src="xyz.js"></script>
The javascript file in turn accesses data.xml file. The files index.html,xyz.js and data.xml are in the same folder.
javascript文件依次访问data.xml文件。 index.html,xyz.js和data.xml文件位于同一文件夹中。
How can I deny direct access to xyz.js and data.xml if a user types abc.com/xyz.js and abc.com/data.xml in the browser. Needless to say index.html must be able to access these files.
如果用户在浏览器中键入abc.com/xyz.js和abc.com/data.xml,我怎么能拒绝直接访问xyz.js和data.xml。不用说index.html必须能够访问这些文件。
How can I do this(preferably with .htaccess)
我该怎么做(最好用.htaccess)
2 个解决方案
#1
4
I'm assuming you mean index.html refers to the .js file via a script tag, and then the js reads in the xml using XMLHttpRequest or something similar. ie: the js and xml both need to be readable by the browser, but you want to restrict this to only be in an "approved" way.
我假设你的意思是index.html通过脚本标记引用.js文件,然后js使用XMLHttpRequest或类似的东西读入xml。即:js和xml都需要浏览器可读,但您希望将其限制为仅以“批准”方式。
If that's right, then you can't. You could try looking at the Referer, but it's unreliable and easily spoofable. Even without spoofing, many browsers have debugging tools that make it easy to see the result of every GET that has been performed.
如果那是对的,那么你就做不到。您可以尝试查看Referer,但它不可靠且易于欺骗。即使没有欺骗,许多浏览器都有调试工具,可以轻松查看已执行的每个GET的结果。
It's better to just get used to the fact that anything you send to the browser is potentially viewable by the user if they work hard enough at it.
最好习惯这样一个事实,即如果用户努力工作,那么发送给浏览器的任何内容都可能被用户查看。
I suppose for JavaScript you could use an obfuscator tool if you feel so inclined. For XML, there isn't much you can do. I suppose you could encrypt it, but that would be easy to break as your js code will necessarily contain the decryption routine and key.
我想对于JavaScript,如果你有这种倾向,可以使用混淆器工具。对于XML,您无能为力。我想你可以加密它,但这很容易破解,因为你的js代码必然包含解密例程和密钥。
#2
0
If you truly need to protect the data, you need to implement the sensitive part of your program to run on the server and not in the client. Then you can keep your datasource out of the public web space completely. If the client (browser) can access the raw data, then so can the user (even if you force them to go through multiple steps to get at it).
如果您确实需要保护数据,则需要实现程序的敏感部分以在服务器上运行而不是在客户端中运行。然后,您可以将数据源完全保留在公共Web空间之外。如果客户端(浏览器)可以访问原始数据,那么用户也可以访问(即使您强制他们通过多个步骤来获取它)。
To acheive your goal you need to split your program architecture in two:
为了实现您的目标,您需要将程序架构分为两部分:
- the non-sensitive parts run, in javascript, in the browser
- 非敏感部分在javascript中运行在浏览器中
- the sensitive parts run, in .net/java/php/ruby/python etc etc, on the server
- 敏感部分在服务器上运行.net / java / php / ruby / python等
#1
4
I'm assuming you mean index.html refers to the .js file via a script tag, and then the js reads in the xml using XMLHttpRequest or something similar. ie: the js and xml both need to be readable by the browser, but you want to restrict this to only be in an "approved" way.
我假设你的意思是index.html通过脚本标记引用.js文件,然后js使用XMLHttpRequest或类似的东西读入xml。即:js和xml都需要浏览器可读,但您希望将其限制为仅以“批准”方式。
If that's right, then you can't. You could try looking at the Referer, but it's unreliable and easily spoofable. Even without spoofing, many browsers have debugging tools that make it easy to see the result of every GET that has been performed.
如果那是对的,那么你就做不到。您可以尝试查看Referer,但它不可靠且易于欺骗。即使没有欺骗,许多浏览器都有调试工具,可以轻松查看已执行的每个GET的结果。
It's better to just get used to the fact that anything you send to the browser is potentially viewable by the user if they work hard enough at it.
最好习惯这样一个事实,即如果用户努力工作,那么发送给浏览器的任何内容都可能被用户查看。
I suppose for JavaScript you could use an obfuscator tool if you feel so inclined. For XML, there isn't much you can do. I suppose you could encrypt it, but that would be easy to break as your js code will necessarily contain the decryption routine and key.
我想对于JavaScript,如果你有这种倾向,可以使用混淆器工具。对于XML,您无能为力。我想你可以加密它,但这很容易破解,因为你的js代码必然包含解密例程和密钥。
#2
0
If you truly need to protect the data, you need to implement the sensitive part of your program to run on the server and not in the client. Then you can keep your datasource out of the public web space completely. If the client (browser) can access the raw data, then so can the user (even if you force them to go through multiple steps to get at it).
如果您确实需要保护数据,则需要实现程序的敏感部分以在服务器上运行而不是在客户端中运行。然后,您可以将数据源完全保留在公共Web空间之外。如果客户端(浏览器)可以访问原始数据,那么用户也可以访问(即使您强制他们通过多个步骤来获取它)。
To acheive your goal you need to split your program architecture in two:
为了实现您的目标,您需要将程序架构分为两部分:
- the non-sensitive parts run, in javascript, in the browser
- 非敏感部分在javascript中运行在浏览器中
- the sensitive parts run, in .net/java/php/ruby/python etc etc, on the server
- 敏感部分在服务器上运行.net / java / php / ruby / python等