问题
I'm working inside of a Google Chrome extension. Extensions do not send out a "Referer" header when issuing requests, but it is possible to (potentially) modify this behavior by using chrome.webRequest.onBeforeSendHeaders.
I am attempting to communicate with Google's YouTube V3 API. To do so, I must provide an API key. A successful request to their server looks like:
$.ajax({
url: 'https://www.googleapis.com/youtube/v3/playlists?part=snippet&id=ALYL4kY05133rTMhTulSaXKj_Y6el9q0JH&key=AIzaSyBWegNdKdnwKGr2bCKRzqXnWw00kA7T2lk',
success: function (response) {
console.log("Success", response);
},
error: function (error) {
console.log("Error:", error);
}
});
Now, this request works because I have gone to my Google API Console and created a Simple API Access Browser Key with its allowed referers set to:
Referers: Any referer allowed
This seems like a security flaw to me because I would like to ensure that only my program is allowed to query the API. However, Google has been pretty clear that they don't care about this flaw because anyone can request an API key at any time.
That said, I'm left wondering if this is the correct implementation. There is an area inside of the Google API Console which allows you to define a "Client ID for installed applications" which is associated with a specific Google Chrome extension.
Once this installed application Client ID is configured I am able to interact with chrome.identity.getAuthToken
This generates a valid OAuth2 auth token for the given client which is definitely what I am interested in in terms of security. However, I can't use this OAuth2 token to fulfill Google API requests. It does not acknowledge the OAuth2 token as a valid client ID (why should it?) nor does it provide any means of accepting the OAuth2 token.
So, I'm left hanging here. I have one means of requesting a relatively secure token, but it isn't actually usable in the request. And, I have an alternative, incredibly insecure means of generating an API key which works right out of the box.
Has anyone else experienced this? What should be done?
来源:https://stackoverflow.com/questions/22900593/referer-security-when-requesting-a-simple-api-access-key