我包含了一个php脚本,可以呈现这样的一些javascript:


 < script src =“http://example.net/somejsfile .php“>< / script>



 如何获取包含脚本的网页的域名?目标是只允许在某些域上加载脚本。


所以想象一下我在 http://mystore.com/page1.html


我想要的是能够提取mystore.com来自 http://example.net/somejsfile.php
&# xA;
这是$ _SERVER变量的print_r:



Array
(
 [SERVER_SOFTWARE] => Apache / 2.4.18(Ubuntu)&# xD;
 [REQUEST_URI] => /......
 [HTTPS] => on
 [SSL_TLS_SNI] => domain.com& #xD;
 [HTTP_HOST] => domain.com
 [HTTP_USER_AGENT] => Mozilla / 5.0(Windows NT 6.1; Win64; x6 4; rv:58.0)Gecko / 20100101 Firefox / 58.0
 [HTTP_ACCEPT] => * / *&#的xD;
 [HTTP_ACCEPT_LANGUAGE] =>的en-US,连接; Q = 0.5&#的xD;
 [HTTP_ACCEPT_ENCODING] => gzip,deflate,br
 [HTTP_COOKIE] => ....&#的xD;
 [HTTP_CONNECTION] =>保持活动#的xD;
 [HTTP_CACHE_CONTROL] =>最大年龄= 0&#的xD;
 [路径] =>的/ usr / local / sbin中:在/ usr / local / bin中:/ usr / sbin目录:在/ usr / bin中:/ sbin目录:/ bin中&#的xD;
 [SERVER_SIGNATURE] => ...&#的xD;
&#的xD;
 [SERVER_NAME] => ....&#的xD;
 [SERVER_ADDR] => 192.168.1.51&#的xD;
 [SERVER_PORT] => 443&#的xD;
 [REMOTE_ADDR] => ....&#的xD;
 [DOCUMENT_ROOT] => ....&#的xD;
 [REQUEST_SCHEME] => HTTPS&#的xD;
 [CONTEXT_PREFIX] => &#的xD;
 [CONTEXT_DOCUMENT_ROOT] => /....
[SERVER_ADMIN] => [没有给出地址]
 [SCRIPT_FILENAME] => ....&#的xD;
 [REMOTE_PORT] => 56852&#的xD;
 [GATEWAY_INTERFACE] => CGI / 1.1&#的xD;
 [SERVER_PROTOCOL] => HTTP / 1.1&#的xD;
 [REQUEST_METHOD] => GET&#的xD;
 [QUERY_STRING] => &#的xD;
 [SCRIPT_NAME] => ...&#的xD;
 [PHP_SELF] => /...
[REQUEST_TIME_FLOAT] => 1517979916.084&#的xD;
 [REQUEST_TIME] => 1517979916&#的xD;&#XA)代码>
&#的xD;
 因为你可以看到$ _SERVER ['HTTP_ORIGIN'],$ _SERVER ['HTTP_REFERER']甚至都不是一个选项。有什么想法?

答案 0 :(得分:0)
这是一个非常简单的解决方案:
例如:getprotectedscript.php
<?php
if (in_array($_SERVER['HTTP_ORIGIN'], $your_allowed_origins))
readfile("protected_directory/$your_script_file");
请务必在.htaccess
中添加protected_directory
:
DENY FROM ALL
最后,在客户端,你必须这样做:
window.addEventListener('onload', async function() {
const response = await fetch('getprotectedscript.php');
const script = document.createElement("script");
script.innerHTML = await response.text();
document.body.appendChild(script);
})