Home > Mobile >  .htaccess to prevent from direct access to files, but allowing <script src = , how to?
.htaccess to prevent from direct access to files, but allowing <script src = , how to?

Time:10-14

I have an application with php , html , js , ( /homesec ) .php files are in a controler directory , ( /homesec/controler ) .js and .phtml files are in a vue directory , ( /homesec/vue )

I must allow use of some url , and refuse use of others ( with a 403 )
allowed : https://...../homesec/controler/home.php forbiden ( 403 ) : https://...../homesec/vue/home.js and I need the .phtml files call their .js files like this : allowed : (in /vue/home.phtml )

to do it i created a /homesec/vue/.htaccess , with : Require all denied Require ip ::1

and it doesn't work on my dev pc ( wampserver )

works , it's OK https://...../homesec/vue/home.js works , it's bad on the prod server fails , it's bad https://...../homesec/vue/home.js fails , it's OK so it seems it also depends on the apache server ... the question is , how to prevent urls with direct access to .js files with .htaccess but still allow the syntax in the .phtml files

CodePudding user response:

There is no effective way to supply a JS file to a browser while preventing the owner of the browser from accessing the source code of that JS file.

The closest you could come would be to examine the Referer header but that is:

  • Unreliable
  • Would not stop the user monitoring the data in the Network tab of their browser
  • Would not stop the user accessing the URL if it was already in their browser cache
  • Might cache a Forbidden error and deny access when the HTML document is subsequently visited

CodePudding user response:

ok , if I understand correctly your answers you say : it's impossible it's even useless

I tried to run my application with navigator's dev tool , and I looked at the "sources" tab , and effectively it appears that the html and js code can be read there ... I tried on "big" applications ( google actualities ) and nothing can be read in this tab "sources" would it be possible to prevent this?, apparently google every company does it...

and you say : in these conditions it's useless to try to prevent users from targeting .phtml or .js files directly , because everybody can see them ?

( if you want to know I spent days trying to solve what I expected to be an absolute security issue)

ty btw.

Page link:https//www.codepudding.com/Mobile/576101.html

Prev:LINQ Select Where, then Join Where
Next:Understanding how file descriptos in Python work
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding