问题
When you try to integrate with LinkedIn's Apply Now button, you first sign up for an API key. The form asks you to enter the Javascript Domain API, which is the Fully-qualified domain name of all pages that will call the JavaScript API with this key. In return, it produces an API key and some HTML code for you which you can copy n paste to your web page and get started.
This is the code their wizard produced:
<script src="http://platform.linkedin.com/in.js" type="text/javascript">
api_key: 7a4ghb12agvda4552da
</script>
<script type="IN/Apply"
data-companyname="Asd"
data-jobtitle="Software Developer"
data-joblocation="Istanbul"
data-email="abc@xyz.com">
</script>
Now, how does one keep track of where this script is embedded? I first entered http://example.com as the my Javascript Domain API. It turned out that I can only use this widget on the example.com domain.
What's inside in.js that tells LinkedIn where it is embedded?
The reason I'm asking is because I am also building a widget myself, and I want to make sure only the signed-up domains can use my widget.
Edit: As a bonus, what if I download in.js, remove the part where it does the domain check and include my own version of in.js in my page? How do they prevent that?
A LinkedIn employee mentions that both client-side and server-side checks are done. But what kind of a check would that be? I am looking for some deep insight into the issue. How can I produce such a widget? On the client-side, how do you check the current page that hosts your .js file? And how do you get which domain is hosting the js file? Any help appreciated. Thanks.
回答1:
The LinkedIn Javascript framework won't work if you make a local copy of in.js - the backend server (which in.'s calls) checks to make sure that the in.js is coming from the correct server as well as checking to make sure that the framework will only work on the specified domain(s).
This question was asked/answered here: https://developer.linkedin.com/forum/security-prevent-impersonations
回答2:
in.js has a script which adds another script tag into the DOM. It passes the API key (probably as a GET parameter in the script's URL), then the server checks the HTTP referer (which is a standard HTTP header browsers send indicating the website which sent them to get that page) and checks if it matches the API key in the database.
A simpler version would contain something like this:
document.write('<script src="http://mysite.com/api.js?key="' + api_key + '></' + 'script>');
Then on the server, something like this pseudo-code:
var expectedDomain = queryTable('apikeys').equal('key', GET('key')).field('domain').run();
if (expectedDomain === parseDomain(http.referer)) {
respond(myscript);
}
来源:https://stackoverflow.com/questions/8615467/how-does-linkedin-know-or-keep-track-of-where-i-embedded-its-widget