本文介绍了网站可以知道我是否正在运行用户脚本吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

例如,Facebook.com 能否在我的浏览器上运行一个版本控制脚本,并找出我是否正在使用脚本运行更改过的 HTML 代码?

Can, for example, Facebook.com run a version control script on my browser and find out if I am running altered HTML code with the use of a script?

是否可以使用一个脚本来完成,该脚本可以读取缓存中的 HTML 代码并生成某种散列标签,然后将其发送回服务器并与发送到客户端的代码进行比较?

Could that be done with a script that can read the HTML code in the cache and produce some kind of hash tag that is sent back to the server and compared with the code that was sent to the client?

推荐答案

是的,理论上,一个站点可以在各种情况下推断出脚本的存在.

Yes, in theory, a site can deduce the presence of scripts in various situations.

这不是万无一失的,通常对于网站的微不足道的威胁"来说太麻烦了.(话又说回来,有些网站管理员可能对此类事情过于偏执.;))

This is not foolproof and usually is way too much trouble for the negligible "threat" to the site. (Then again, some webmasters can be obsessive-paranoids about such things. ;) )

某些方法,取决于脚本的作用(无特定顺序):

Some methods, depending on what the script does (in no particular order):

  1. 游戏或拍卖网站可以监控出价"点击的时间(速度和规律).

  1. Gaming or auction sites can monitor the timing (speed and regularity) of "bid" clicks.

一个站点可以 AJAX 支持 节点的数量,寻找额外的.

A site can AJAX-back the count of say, <script> nodes, looking for extras.

同样,网站可以 AJAX 支持页面的任何或所有内容,并将其与预期值进行比较.

Similarly, a site can AJAX-back any or all of the content of a page and compare that to expected values.

额外的 AJAX 调用或不满足隐藏要求的 AJAX 调用可以被记录下来(并允许看起来成功).

Extra AJAX calls, or AJAX calls that don't meet hidden requirements can be noted (and allowed to appear to succeed).

如果脚本以正确(错误)的方式使用 unsafeWindow一个页面可以检测到,甚至劫持(稍微)提升的权限.

If the script uses unsafeWindow in just the right (wrong) way, a page can detect that and even hijack (slightly) elevated privileges.

可以检测到之前不是鼠标悬停事件的点击".我实际上已经看到它在野外使用.

"Clicks" that were not preceded by mouseover events can be detected. I've actually seen this used in the wild.

页面的 javascript 通常可以检测脚本生成的点击(等)与用户生成的不同.(感谢 c69 的提醒.)

A page's javascript can often detect script-generated clicks (etc.) as being different than user generated ones. (Thanks, c69, for the reminder.)

最终,优势在于用户脚本编写者.网页采取的任何对策都可以在用户端被检测到并阻止.即使是自定义的、必需的插件或必需的硬件加密狗,也可能被熟练且积极主动的用户破坏.

Ultimately, the advantage is to the userscript writer, however. Any counter-measures that a webpage takes can be detected and thwarted on the user end. Even custom, required plugins or required hardware dongles can be subverted by skilled and motivated users.

这篇关于网站可以知道我是否正在运行用户脚本吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

05-28 11:54
查看更多