Google API:授权的 JavaScript 起源
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24166191/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Google API: Authorized JavaScript Origins
提问by Ivaylo
I'm implementing a Google+ Sign-In for our web service, and stumbled on "Authorized JavaScript Origins". Our clients have web addresses either as a sub-domain of our main domain, or as a custom domain name. Since the login page is under that sub-domain (or custom domain), and in order to make the Google+ Sing-In button work, that custom domain/sub-domain should be (manually) entered in the "Authorized JavaScript Origins" list (with both http and https).
我正在为我们的网络服务实施 Google+ 登录,并偶然发现了“Authorized JavaScript Origins”。我们的客户将网址作为我们主域的子域,或作为自定义域名。由于登录页面位于该子域(或自定义域)下,并且为了使 Google+ Sing-In 按钮起作用,应(手动)将自定义域/子域输入到“Authorized JavaScript Origins”列表中(同时使用 http 和 https)。
Does anybody know a way to do that automatically (through some API maybe)? If not, then how do you do it?
有没有人知道自动执行此操作的方法(可能通过某些 API)?如果没有,那你怎么做?
回答by Robert Levy
Not sure if there is an API for this. At first glance I don't see one. The alternative (aside from manually adding domains all the time) is to use a hidden iframe on each site - this iframe would come from your domain and would be the only thing that calls google services. The main sites would communicate with the iframe (postMessage) to tell it what to send google. This of course, opens up a security risk (anybody could load your iframe into their page and do bad things on your behalf) so you'll want to make sure that the iframe code refuses to do anything unless it's running within a page on a known-good domain.
不确定是否有用于此的 API。乍一看,我没有看到。另一种选择(除了一直手动添加域)是在每个站点上使用隐藏的 iframe - 这个 iframe 将来自您的域,并且将是唯一调用谷歌服务的东西。主要站点将与 iframe (postMessage) 通信以告诉它向 google 发送什么。这当然会带来安全风险(任何人都可以将您的 iframe 加载到他们的页面并代表您做坏事),因此您需要确保 iframe 代码拒绝执行任何操作,除非它在某个页面上运行已知良好的域。
回答by Swaathi Kakarla
You can also have a common URL which all subdomains point to when trying to log in with Google. Then have this URL redirect to your actual Google login path. Beats having to deal with an iframe this way.
您还可以拥有一个通用 URL,所有子域在尝试使用 Google 登录时都指向该 URL。然后将此 URL 重定向到您的实际 Google 登录路径。比必须以这种方式处理 iframe 更胜一筹。
