问题
After consulting MDN for the referrer-policy and Googling, DuckDucking and StackOverlow-searching, maybe you can help me with this rather simple (yet illusive) issue?
Process Flow
- the browser makes a request to the server
- based on the HTTP_REFERER header, the server decides a response
but why? (you ask)
This is part of an elaborate set of security checks, in this case deciding if the client has access to a file requested FUBU (for us by us).
This will not work if the referer is missing, but when JavaScript issues a request for a specified worker - the referer (request-header) is indeed missing.
what I've tried - and FAILED
- setting
Referrer-Policy: same-originfor EVERY request - setting the appropriate CORS headers
Access-Control-Allow-Headers: x-requested-with- in response to EVERY request.
question
How can I find out if a request was made for a JS worker file, or just FORCE the HTTP mechanism to behave like it should?
回答1:
Thinking out of "the box"
Since there "seems" to be no way to do this in a "good" way, one could always apply a lil creativity to achieve a specific outcome.
Just to recap:
- the requirement is to have a way to identify from where a request is made
- this can either be achived manually per
Workerinvocation, or automatically - any security issues seem to be handled elsewhere
- altering the
WorkerURL upon invocation could be helpful for automatic handling
Work-able solution
Here is a wrapper that can be used to "hijack" some class invocations or methods:
const hijack = function(driver,victim,jacker)
{
if(((typeof driver)=='string')&&!victim){return this.plan[driver]}; // recap
if(victim in this.plan){return}; // only jack once? .. less cruel
this.plan[victim]={victim:driver[victim],jacker:jacker}; // plan the heist
let con = {enumerable:false,configurable:false,writable:false,value:function()
{
let car=hijack((this.mask||this.name||this.constructor.name)); let m=this.mask;
let arg=car.jacker.apply(null,arguments); if(!Array.isArray(arg)){arg=[arg]};
if(!m){return new (Function.prototype.bind.apply(car.victim,[null].concat(arg)))()}
else{return car.victim.apply(this,arg)};
}};
try{con.value.prototype = Object.create(driver[victim].prototype)} // blend in
catch(oops){Object.defineProperty(driver,'mask',{value:victim});}; // recover
Object.defineProperty(driver,victim,con);
}.bind({plan:{}});
... nail meets hammer
How it works
- It takes in 3 arguments:
driver~ the object that contains the target function/methodvictim~ the name of the function/method that will be interceptedjacker~ a callback-function -which is used to relay/change arguments
- The original method is copied to where it can be used or subsequent calls
- The callback imposes (deposes) the original and can either relay arguments unchanged between the caller and the callee (exactly like the original), but now you can control how it happens (if at all) and what to relay exactly; either with some simple condition(s) or some elaborate scheme (a.k.a "evil plan")
- For the sake of simplicity this code (above) only permits 1 interception per
victim, but this can be extended for multiple intercepts; either by "chain-relay" (callback array) or "event-dispatcher + event-listener combo(s)".
How to use
Specific to the question:
hijack(window,'Worker',function(arg){return `${arg}?worker=true`});
To address the security concerns in the comments, an api-key could be useful; so if some string was passed to the running instance (browser or server) that is unique to the current session (or client), it could suffice, for example:
hijack(window,'Worker',function(arg){return `${arg}?worker=${window.ApiKey}`});
.. where ApiKey was defined globally as a string, but it can also be the result of a function-call -which gets it from a cookie, or whichever.
Useful tool
This can also be used to enhance security. If you are concerned about XHR requests made from devtools or even worse: eval() -then you can use this hijack to intercept those calls/invocations globally.
For example:
hijack(URL,'createObjectURL',function(arg){console.log(arg); return `whatever`});
If you plan to use this as security tool, then it needs some TLC with a dash of "call-stack back-trace", a "mutation-observer" .. and a pinch of (dark) matter (:
disclaimer
nobody got hurt during this exercise .. the victim turned out okay .. use at your own discretion
来源:https://stackoverflow.com/questions/58459470/php-how-to-check-if-request-is-for-js-worker