where to say
Please do not use this function for any illegal purpose, this function is not a security vulnerability of Huorong
The main application scenario of this function is to bundle the baby software. If you are a Huorong user, you can download the pure version or the bundled software that cannot be detected, so as to avoid software blocking and affect the promotion effect. Software installation requires the user's consent.
principle
Huorong Security will block some spam and rogue websites. You can visit these blocked websites and return information to determine whether the user is running Huorong.
Although the browser does not allow cross-domain, it can use the status code of the error report to analyze the user's local Huorong security operation.
Don't talk nonsense, go directly to the code
the code
After running Tinder, data.status is 200, but 404 is not allowed
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>测试</title>
<script src="http://code.jquery.com/jquery-2.1.1.min.js"></script>
</head>
<body>
<script>
$(document).ready(function () {
try {
$.ajax({
type: "OPTIONS",
async: false,
url: "http://www.xiaobaixitong.com/d/imgs2018/image/banner/NewDown.png",
dataType: "jsonp",
jsonp: "jsonp",
error: function (data) {
if (data.status === 200) {
$("#hr").html("您正在运行火绒")
} else {
$("#hr").html("您没有运行火绒")
}
// console.clear()
}
});
} catch (e) {
console.log(e)
}
})
</script>
<h1>火绒:<span id="hr" style="color:#d50000"></span></h1>
</body>
</html>
demo picture
Similar scheme
Another example of judging the environment by visiting a specific resource is 360 browser judgment, because 360 browser no longer displays its own browser information in the UA header, and the UA that is exactly the same as Google Chrome was later found to be able to pass similar Solution judgment for requesting special resources (currently 360 browser has been repaired)