Javascript location.hostname Safe?_问答_开发者

Lets say I have a php generated javasrcipt file that has the user's name, id number and email adress that is currently logged in. Would a simply document.location.href look up prevent remotes sites from determining the currently logged in user?

Would this be safe?

if(window.document.location.hostname == 'domain.com')
var user = {
          name:'me',
          id:234243,
          email:'email@email.com'
};
else开发者_JAVA技巧 alert('Sorry you may not request this info cross sites.');

Initially it appears safe to me.

EDIT: I had initially thought this was obvious but I am using cookies to determine the currently logged in user. I am just trying to prevent cross domain access to the users info. For example if the if statement was removed malicious site A could embed the javascript file and access the users info. By adding the if statement the user js object should never appear. Cross site ajax isn't supported therefore only through javascript insertion could the malicious site attempt to determine the currently logged in user.

EDIT 2: Would checking my http_refer using php be safe? What if caching is also enabled for the client? For example if the user visits my site A where the user script is downloaded and then later visits site B malicious site would the script be cached, therefore bypassing the need for the server to check the user's http_refer?

You're basically saying "here's the keys to the bank vault, here's the guard's schedule, and here's the staff schedule. But hey, if you're not from the Acme Security Company, pretend I didn't give this to you".

"oh, sure, no problem, lemme just pretend to shred this note and go rent a large truck haul away your vault contents with"

You really just don't want to try something like this. Suppose I'm running an evil site; what do I do?

<script>
RegExp.prototype.test = function() { return true; };
</script>
<script src="http://yoursite.example.com/dynamicjs.php"></script>
<script>
alert("Look at the data I stole: " + user);
</script>

No, what you have there is not "safe" in that it will reveal those details to anyone requesting the HTML page containing that JavaScript. All they have to do is look at the text (including script) returned by the server.

What it comes down to is this: Either you have authenticated the other end to your satisfaction, in which case you don't need the check in the JavaScript, or you haven't, in which case you don't want to output the details to the response at all. There's no purpose whatsoever to that client-side if statement. Try this: http://jsbin.com/aboze5 It'll say you can't request the data; then do a View Source, and note that you can see the data.

Instead, you need to check the origin of the request server-side and not output those details in the script at all if the origin of the request is not authenticated.

Update 1: Below you said:

I was specifically trying to determine if document.location.href could be falsified.

Yes, document.location can be falsified through shadowing the document symbol (although you might be able to detect that if you tried hard enough):

(function() {
    var document; // Shadow the symbol

    document = {
      location: {
        href: "http://example.com/foo.html"
      }
    };

    alert("document.location.href = " + document.location.href);
})();

Live copy

Cross-domain checks must happen within the browser's internals, nothing at the level of your JavaScript code can do it securely and robustly.

But that really doesn't matter. Even if it couldn't be falsified, the quoted example code doesn't protect the data. By the time the client-side check is done, the data has already been sent to the client.

Update 2: You've added a note about checking the HTTP_REFERER (sic) header (yes, it really is misspelled). Sadly, no, you can't trust that. HTTP_REFERER can be spoofed, and separately it can be suppressed.

Off-topic: You're probably already doing this, but: When transferring personal details you've promised to keep confidential (I don't know whether you have, but hopefully so), use HTTPS (e.g., SSL). But it's important to remember that while HTTPS ensures that data cannot be read in transit, it does nothing to ensure that the origin of the request is authenticated. E.g., you know the conversation is secure (within reason and current practice), but you don't necessarily know who you're talking to. There's where authentication comes into it.