编程语言
首页 > 编程语言> > javascript – 源映射生产中的文件 – 安全吗?

javascript – 源映射生产中的文件 – 安全吗?

作者:互联网

我正在使用UglifyJS来缩小和丑化我的源代码,并使用Sentry来报告生产环境中的错误.

为了以可读的方式从Sentry获取错误,我需要添加source-map

在生产服务器中执行它是否安全,或者源映射文件是否应仅存在于暂存环境中?
有没有办法在生产环境中保护它们?

解决方法:

正在寻找一个可能的解决方案,如果有人没有专门使用Sentry,我可以访问这篇博文(具有讽刺意味的是Sentry博客文章):

https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html

哪里有一个有趣的想法:“私人源地图”.这意味着在某些无法从互联网访问的地方生成源地图(例如您的公司VPN),因此只有您或您的团队才能访问源地图文件.

引用帖子的“私人来源地图”部分:

[…] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.

To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.

//# sourceMappingURL: 07001

When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.

对我来说似乎是个好主意!

标签:sentry,uglifyjs,javascript,raven,source-maps
来源: https://codeday.me/bug/20190930/1834731.html