生产中的源地图文件-它是否安全?

我使用 UglifyJS来缩小和丑化源代码,使用 哨兵来报告生产环境中的错误。

为了以一种可读的方式从 Sentry 获得错误,我需要添加源地图

在生产服务器中这样做是否安全,或者源地图文件应该只存在于临时环境中?
有没有办法在生产环境中保护它们?

32120 次浏览

Your primary concerns will be "is it ok if the user has my source code?" Usually it is fine, as users can deobfuscate things anyways.

That said, if you're using Sentry, you can actually use the releases API to avoid this problem. You'll still need to generate the artifacts, and set URLs (or something that the API can handle), but you don't have to expose them to the internet.

Searching for a possible solution to this, and if someone is not specifically using Sentry, I got to this blog post (ironically a Sentry blog post):

https://blog.sentry.io/2015/10/29/debuggable-javascript-with-source-maps.html

Where there is an interesting idea: "private source maps". It implies generating the source maps in someplace that is not accessible from the internet (such as your company VPN), so only you or your team can access the source maps files.

Quoting the "Private Source Maps" section of the post:

[...] all of our examples assume that your source maps are publicly available, and served from the same server as your executing JavaScript code. In which case, any developer can use them to obtain your original source code.

To prevent this, instead of providing a publicly-accessible sourceMappingURL, you can instead serve your source maps from a server that is only accessible to your development team. For example, a server that is only reachable from your company’s VPN.

//# sourceMappingURL: http://company.intranet/app/static/app.min.js.map

When a non-team member visits your application with developer tools open, they will attempt to download this source map but get a 404 (or 403) HTTP error, and the source map will not be applied.

Seems like a good idea to me!