如何阻止对我的 JavaScript 文件的直接访问?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6335644/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I block direct access to my JavaScript files?
提问by Chris Laplante
I use Minify to minify and cache all my script requests. I only want my users to be able to access the minified versions of the JavaScript files.
我使用 Minify 来缩小和缓存我所有的脚本请求。我只希望我的用户能够访问 JavaScript 文件的缩小版本。
Minify lies at www.example.com/minand my scripts are at www.example.com/scripts. How can I block direct access to doc_root/scriptswhich is where my unminified JavaScript files lie. I'd rather not put them out of the document root but it's an option.
缩小位于 ,www.example.com/min我的脚本位于www.example.com/scripts。如何阻止直接访问doc_root/scripts我未压缩的 JavaScript 文件所在的位置。我宁愿不将它们从文档根目录中删除,但这是一个选项。
Please note that I'm using Zend Framework, so the actual root of my application is shifted to www.example.com/public. An htaccess file handles the rewrite.
请注意,我使用的是 Zend Framework,因此我的应用程序的实际根目录已转移到www.example.com/public. htaccess 文件处理重写。
回答by Darien
Can't you just use an .htaccess file inside doc_root/scriptsto prevent all access over the web to .jsfiles over HTTP?
难道你不能只在里面使用一个 .htaccess 文件doc_root/scripts来阻止所有通过网络访问.jsHTTP 文件吗?
It won't stop minify, since that provides indirectaccess.
它不会停止缩小,因为它提供了间接访问。
So in doc_root/scripts/.htaccess, something along the lines of
所以在doc_root/scripts/.htaccess,类似的东西
<Files ~ "\.js$">
order allow,deny
deny from all
</Files>
Note that the location of the .htaccessfile matters in this case.
请注意,.htaccess在这种情况下,文件的位置很重要。
回答by dtbarne
You effectively can't block end-user facing code. Even if you served it with PHP or another server-side language and blocked direct requests, it's of course still possible to read it directly with a number of tools.
您无法有效地阻止面向最终用户的代码。即使您使用 PHP 或其他服务器端语言为其提供服务并阻止直接请求,当然仍然可以使用多种工具直接读取它。
You should code with this in mind and be mindful with javascript comments, business knowledge, etc.
您应该牢记这一点进行编码,并注意 JavaScript 注释、业务知识等。
UPDATE:
更新:
However, if you're talking about code that doesn't ever need to be accessed by an end-user, you could as you mentioned move it out of the server root, or you can block the files in your directory (or an entire directory). It's easy with Apache's .htaccess.
但是,如果您谈论的是最终用户永远不需要访问的代码,您可以像您提到的那样将其移出服务器根目录,或者您可以阻止目录中的文件(或整个目录)目录)。使用 Apache 的 .htaccess 很容易。
order deny, allow
deny from all
You could also redirect the source files to the minified versions with mod_rewrite in your .htaccess file.
您还可以使用 .htaccess 文件中的 mod_rewrite 将源文件重定向到缩小版本。
RewriteEngine On
RewriteRule /scripts/(.*)$ /min/ [L,NC]
回答by Ovidiu Bute
Depends on the server you're using. Assuming it's Apache, you can add this to your .htaccess file:
取决于您使用的服务器。假设它是 Apache,您可以将其添加到您的 .htaccess 文件中:
<Directory ~ "\scripts">
Order allow,deny
Deny from all
</Directory>
Or something to that effect..
或类似的东西..
回答by Marc B
The only way is to check referers, and not everyone sends them, or sends a real one. In other words, you can't block direct access to anyone who really wants something. It's impossible to determine with 100% accuracy if a request is a direct one or is being done via a <script src=....>type request.
唯一的方法是检查引用,而不是每个人都发送它们,或者发送一个真实的。换句话说,您无法阻止对真正想要某样东西的任何人的直接访问。不可能 100% 准确地确定请求是直接请求还是通过<script src=....>类型请求完成。
回答by kyushiro
For your Javascript to actually run the user's browser must be able to read it ultimately. As such there's no real way to "block" access to your scripts folder (well to be precise you can but that would break your website since the browser would not see the files in order to run them.)
为了让您的 Javascript 真正运行,用户的浏览器最终必须能够读取它。因此,没有真正的方法可以“阻止”对您的脚本文件夹的访问(准确地说,您可以,但这会破坏您的网站,因为浏览器不会看到文件以运行它们。)
One solution could be obfuscation, which makes the javascript code harder to read / understand but ultimately the user will see the code, and with a bit of persevering reverse engineering it can be de-obfuscated.
一种解决方案可能是混淆,这会使 JavaScript 代码更难阅读/理解,但最终用户会看到代码,并且通过一些坚持不懈的逆向工程可以对其进行去混淆。
Another thing i've seen someone do is creating an "empty" js.html page, and insert all their javascript into script tags in the page (embedded, not external), and from his main page make ann ajax request to js.html and embed it at the bottom of the page. kind of a round about way but the user will not see the js when viewing the source unless using developper tools such as firebug.
我见过有人做的另一件事是创建一个“空”的 js.html 页面,并将他们所有的 javascript 插入页面中的脚本标签(嵌入,而不是外部),然后从他的主页向 js.html 发出 ann ajax 请求并将其嵌入页面底部。有点绕,但用户在查看源代码时不会看到 js,除非使用诸如 firebug 之类的开发工具。
Note that the last option also might cause some delay depending on the abount of code you are loading. but here the key is not blocking access to your scripts, but just making them harder to obtain / read / copy.
请注意,最后一个选项也可能会导致一些延迟,具体取决于您正在加载的代码量。但这里的关键不是阻止访问您的脚本,而是让它们更难获取/读取/复制。
Edit: oops, misread as well. I think the best solution in this case would be to go with an htaccess file in your scripts folder denying all access
编辑:哎呀,也误读了。我认为在这种情况下最好的解决方案是在脚本文件夹中使用 htaccess 文件拒绝所有访问
回答by Maratonec
This answer is little bit newer, than question (only several years, that's nothing)
这个答案比问题更新一点(只有几年,没什么)
You cannot deny access to JavaScript file, because they wont't be accessible from <script>tag.
您不能拒绝访问 JavaScript 文件,因为它们不能从<script>标签访问。
But I found a workaround:
但我找到了一个解决方法:
RewriteEngine On
RewriteRule ^.*\.js$ /invalid.html [R=301,L]
Place it in your .htaccess file in your home folder of web. (under htdocs or public_html). This will automatically redirect everyone from it. So they don't see it.
将它放在您的 web 主文件夹中的 .htaccess 文件中。(在 htdocs 或 public_html 下)。这将自动重定向所有人。所以他们看不到。
