My server has a javascript file, I only want to allow a certain web sites from being able to run it. I know the few sites that may use it.
In ASP.NET MVC, or ASP.NET Core, how can I restrict the javascript from being sent to a rogue web site?
5
-
6If it's accessible from the client it's completely downloadable just like an image. If you're using something like bundling and minification you can at least make it very confusing to find the code needed to perform an operation and the minification can make it hard to understand. Bottom line though, if it's loaded in the client someone just needs the F12 tools or Fiddler to keep it for themselves.Mark Fitzpatrick– Mark Fitzpatrick2018-05-01 19:18:47 +00:00Commented May 1, 2018 at 19:18
-
1Is there a way though, on my server to ask of the Request "Are you being requested from GoodSite.com instead of EvilSite,com" and just send null to a reference to the javascipt on EvilSite.com. The Header Referred can be spoofedIan Vink– Ian Vink2018-05-01 19:31:43 +00:00Commented May 1, 2018 at 19:31
-
2The problem is that JavaScript and similar resources are requested via the client, not the server. In other words, neither GoodSite.com nor EvilSite.com is making the request - the request comes from Joe Schmoe user through some browser in both cases.Chris Pratt– Chris Pratt2018-05-01 19:49:09 +00:00Commented May 1, 2018 at 19:49
-
Another option would be to set a cookie from your website that is required to serve the javascript from a controller action.Mark G– Mark G2018-05-01 22:30:55 +00:00Commented May 1, 2018 at 22:30
-
@MarkG not 100% fool proof either.Daniel A. White– Daniel A. White2018-05-02 02:26:12 +00:00Commented May 2, 2018 at 2:26
Add a comment
|
1 Answer
you can't 100% avoid it, but you could check window.location to see if the origin matches.
if (location.origin.toLowerCase() !== 'http://example.com') {
// you can't use me
}
2 Comments
agDev
if someone has the file they can just remove this check and use the rest of the file. minification will make it more complicated for them but still.
VLAZ
Indeed, that's the only way. And that only prevents people from directly linking to the script and using it on their webpages - they can still download it, change that line and host it elsewhere but you cannot really do much about that. At best you can throw some obfuscation like minifying the file and maybe bundling it with other stuff but it's still not going to stop anybody who is determined enough. And pretty much anybody who'd bother "stealing" JavaScript will be able to bypass that, too.
