Answer the question
In order to leave comments, you need to log in
What threats are likely from the transfer of acces tokena from a site connected to VKontakte to the open?
It's about the access token for the connected site. The token is owned by the "website" type application (i.e. site), not by the visitor.
The task is to make a request to the VKontakte api from the client side, using javascript.
Answer the question
In order to leave comments, you need to log in
There is no threat here, the token belongs to a specific user, the one in which the JS is running in the browser.
All requests between your site and the VK platform go via https, which is why it was invented so that traffic is not listened to.
And if a person already has a worm or a similar infection on his PC, then nothing will save him. It's open :)
Not very good for an application. Even though the token belongs to a person, he can use it for bad things. For example, to make requests with this token yourself. It turns out that requests go through your application, as a result, its statistics grow. Yes and
In addition to restrictions on the frequency of calls, there are also quantitative restrictions on calling methods of the same type. For obvious reasons, we do not provide information on the exact limits.it is not clear how it works. Is it per application or per client?
I think you are confused, the token always belongs to some user, that is, you yourself created the token (most likely in your name in VK).
to find out who the token was created for, use the method users.get
without parameters - it will return information on who it is infected with - most likely there is your name from which you are sitting in VK.
1) if you have your token sewn into the page - anyone who finds it will be able to make requests on your behalf, that is, restrictions - those rights that you requested when receiving this token. and there can be both reading messages and posting on the wall and deleting everything from you.
2) personal token when many requests with one token start from a large number of IP addresses, the token can be canceled and it will stop working for everyone. to be honest, I didn’t do it, but I think if there isn’t such a thing now, then they can add it.
3) since there is only one token, they are subject to general limits of 3 requests per second, how many thousands per hour, per day, etc. (talk about API limits). if 4 users log in at the same time or you have more than one request, then one of them will not receive results.
if there are many users per hour, then the token is blocked for a while. will write "request limit"
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question