我正在使用Firebase Auth将用户登录到我的网站。登录后,它们将重定向到/console.html。
在此文件的标题中,
<script type="text/javascript">
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
} else {
// No user is signed in.
window.location.href = '/';
}
});
</script>
检查是否已登录。如果未登录,则将它们重定向到index.html,这只是一个登录页面。我的问题是,如果有人禁用Javascript并转至/console.html,它将被忽略,他们将能够看到该网页上显示的内容。
用于提供登录的代码使用FirebaseUI,如下所示:
<script type="text/javascript">
// Initialize the FirebaseUI Widget using Firebase.
var ui = new firebaseui.auth.AuthUI(firebase.auth());
var uiConfig = {
callbacks: {
signInSuccessWithAuthResult: function(authResult, redirectUrl) {
// User successfully signed in.
// Return type determines whether we continue the redirect automatically
// or whether we leave that to developer to handle.
return true;
},
uiShown: function() {
// The widget is rendered.
// Hide the loader.
document.getElementById('loader').style.display = 'none';
}
},
// Will use popup for IDP Providers sign-in flow instead of the default, redirect.
signInFlow: 'popup',
signInSuccessUrl: 'console.html',
signInOptions: [
// Leave the lines as is for the providers you want to offer your users.
firebase.auth.EmailAuthProvider.PROVIDER_ID
],
// Terms of service url.
tosUrl: '<your-tos-url>',
// Privacy policy url.
privacyPolicyUrl: '<your-privacy-policy-url>'
};
// The start method will wait until the DOM is loaded.
ui.start('#firebaseui-auth-container', uiConfig);
</script>
(从Firebase文档复制)。
答案 0 :(得分:2)
您永远不应仅在客户端上保护任何重要信息,在确定页面上的内容是否安全时,请始终假定没有客户端保护。
无论您在HTML文件中显示的内容是什么,都只能从服务器/数据库中获取,或者只要服务器端的某些安全规则匹配就可以。