Javascript 生产中的源映射文件 - 安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27345520/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Source maps files in production - Is it safe?
提问by Ofer Velich
I'm using UglifyJSto minify and uglify my sources, and Sentryto report errors from my production environment.
我正在使用UglifyJS来缩小和丑化我的源代码,并使用Sentry报告我的生产环境中的错误。
In order to get errors from Sentry, in a readable manner, I need to add source-map
为了以可读的方式从 Sentry 获取错误,我需要添加 source-map
Is it safe to do it in production servers, or the source-maps files should only exist on staging environment?
Is there a way to secure them on production environment?
在生产服务器中这样做是否安全,或者源映射文件应该只存在于登台环境中?
有没有办法在生产环境中保护它们?
回答by John Bernardsson
Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):
寻找可能的解决方案,如果有人没有专门使用 Sentry,我会看到这篇博文(讽刺的是,一篇 Sentry 博文):
https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html
https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html
Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.
哪里有一个有趣的想法:“私有源映射”。这意味着在无法从 Internet 访问的某个地方(例如您公司的 VPN)生成源映射,因此只有您或您的团队可以访问源映射文件。
Quoting the "Private Source Maps"section of the post:
引用帖子的“私人源地图”部分:
[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.
To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company's VPN.
//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map
When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.
[...] 我们所有的示例都假设您的源映射是公开可用的,并且从与您执行的 JavaScript 代码相同的服务器提供服务。在这种情况下,任何开发人员都可以使用它们来获取您的原始源代码。
为了防止这种情况,您可以从一个只有您的开发团队可以访问的服务器上提供您的源映射,而不是提供一个可公开访问的 sourceMappingURL。例如,只能从您公司的 VPN 访问的服务器。
//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map
当非团队成员在开发人员工具打开的情况下访问您的应用程序时,他们将尝试下载此源映射,但会收到 404(或 403)HTTP 错误,并且不会应用源映射。
Seems like a good idea to me!
对我来说似乎是个好主意!
回答by David Cramer
Your primary concerns will be "is it ok if the user has my source code?" Usually it is fine, as users can deobfuscate things anyways.
你主要关心的是“如果用户有我的源代码可以吗?” 通常这很好,因为用户无论如何都可以对事物进行反混淆。
That said, if you're using Sentry, you can actually use the releases APIto avoid this problem. You'll still need to generate the artifacts, and set URLs (or something that the API can handle), but you don't have to expose them to the internet.
也就是说,如果您使用 Sentry,您实际上可以使用发布 API来避免这个问题。您仍然需要生成工件并设置 URL(或 API 可以处理的内容),但您不必将它们公开到 Internet。
