最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - How to block non-browser clients from submitting a request? - Stack Overflow

programmeradmin5浏览0评论

I want to block non-browser clients from accessing certain pages / successfully making a request.

The website content is served to authenticated users. What happens is that our user gives his credentials to our website to 3rd party - it can be another website or a mobile application - that performs requests on his behalf.

Say there is a form that the user fills out and sends a message. Can I protect this form so that the server processing the submission can tell whether the user has submitted it directly from the browser or not?

I don't want to use CAPTCHA for usability reasons. Can I do it with some javascript?

I want to block non-browser clients from accessing certain pages / successfully making a request.

The website content is served to authenticated users. What happens is that our user gives his credentials to our website to 3rd party - it can be another website or a mobile application - that performs requests on his behalf.

Say there is a form that the user fills out and sends a message. Can I protect this form so that the server processing the submission can tell whether the user has submitted it directly from the browser or not?

I don't want to use CAPTCHA for usability reasons. Can I do it with some javascript?

Share Improve this question edited Mar 19, 2010 at 14:49 Tomas Kohl asked Mar 19, 2010 at 10:23 Tomas KohlTomas Kohl 1,3881 gold badge21 silver badges28 bronze badges 4
  • Why do you want to prevent this? – Kimvais Commented Mar 19, 2010 at 10:29
  • Maybe it's a browser-based game, and he wants to prevent bots? – Douglas Leeder Commented Mar 19, 2010 at 10:34
  • 1 or a 'send feedback' form that gets spam... In both cases, it would be much better to have some whitleblower application that forces a password change. – Kimvais Commented Mar 19, 2010 at 10:40
  • it's a mercial property - user can send a text to a mobile phone from the web; we'd rather have them e to our site directly – Tomas Kohl Commented Mar 19, 2010 at 14:47
Add a ment  | 

3 Answers 3

Reset to default 8

You can raise the bar using javascript, but anything a browser does, an automated system can do. At the very worst, they could automate a browser, but there will almost certainly be some easier way to simulate the operation.

In any case they can record the requests that the browser sends using a proxy, and work out whatever tricks you have the javascript do.

In terms of what springs to mind (to raise the bar) (using javascript):

  1. Change the location that the submit goes to.
  2. Change field names around at submit time.
  3. Hide fields that look like should be filled in.
  4. Encrypt/obfuscate form contents at submit time.
  5. Change GET to POST.

Another usability problem is that anybody who has javascript disabled won't be able to use the service at all. That might impact usability more than a CAPTCHA.

There is no reliable way to detect the HTTP agent - you will break the form for some browsers in any case - unless you can force users in to using a very limited set of browsers (but this can be spoofed again).

IMO, trying to limit the software that can be used to access the form, you should make sure that there is a real human controlling that software. Unfortunately there is no better way than captchas for doing this, unless all customer have access to biometric scanners.

There is only one way to do this, analyzing vendor string looking for browsers admitted, but if someone fakes the vendor string theres no way to keep away from submissions.

To know if a navigator is mozilla based with javascript :

var isMoz = window.navigator.userAgent.match(/^Mozilla/)?true:false;

with php you could try native function get_browser

发布评论

评论列表(0)

  1. 暂无评论