GitHub Pages 博客和 Google Search Console:对 public 存储库执行这些步骤是否安全?
GitHub Pages blog and Google Search Console: Is it safe to follow these steps for a public repo?
Google Search Console 提供了几种声明网站所有权的方法。推荐的方法是下载 HTML 验证文件并将其上传到您的站点。另一种方法是向您的 HTML 添加一个元标记,该标记具有特定的唯一代码作为其 content 属性。
这是我的问题:如果我的网站作为 public 存储库托管在 GitHub 页面上,我上传所述文件或在我的 [=20] 中包含所述元标记是否安全=] 如果其他人可以查看那些?有没有办法让某人以后恶意使用这些文件来访问我的 Google Search Console 帐户 and/or 任何特权站点 traffic/analytics 信息?
它是安全的,并且有been done before。
这是关于 ownership of website, not authentication/authorization to your own Google Search Console(它仍与您的 Google 帐户相关联)。
官方文档是“Google Site Verification API”:
Users can only access certain Google services if their verification data shows that they are the owners of the particular website domain.
You can use the API to generate verification tokens for authenticated users, which your code can place in various ways on your websites or domain records on their behalf.
Once the token is in place, you make a call to the API to ask Google to check for the token.
If Google finds the token, it registers the authenticated user as an owner of the website or domain.
All API calls need to be authorized by an authenticated user, and all API calls are executed in the context of the authenticated user's account.
这意味着:即使第三方获得了您的令牌,它也无法对其进行任何操作,因为您(经过身份验证的 Google 帐户用户)不会 授权使用它完成的任何 API 调用。
更具体地说:
Google Site Verification API enforces some restrictions on how it is used:
- Data access for authenticated user only: All operations require user authentication and authorization.
- Verification for authenticated user only: The API can only verify ownership of sites or domains for the currently authenticated account.
However, the authenticated user can delegate ownership to other users after their ownership of a site has been verified.
Note that all owners are notified by email whenever changes are made to the ownership list.
- Normalized URLs and domain names only: The Google Site Verification API does not support IDN (International Domain Name) encoding.
Be sure to normalize all URLs, domain names, and email address domains to the standard domain name character set (RFC 1034 §3.5) using Punycoding if necessary.
发布该文件是完全安全的。实际上,如果每个人都将其上传到他们的服务器或将其添加到 meta,那么每个人都会发布它。
任何人都可以通过将文件名附加到任何经过验证的 Google Search Console 站点的 URL 来访问该文件。如果他们将它放在站点的 meta 中,那就更容易了,因为您可以随时查看源代码。您从 google 获得的令牌是完全随机且唯一的。 Google 只是想检查您是否有权访问服务器的文件系统。如果其他人将其上传到他们的网站,您也可以证明他们的网站是您的。 令牌本身无法验证任何内容。
最好的证明就是 YouTube 也发布了它的令牌。如果您对 youtube.com 执行 TXT 查找,您会得到以下结果:
TXT | youtube.com | google-site-verification=OQz60vR-YapmaVrafWCALpPyA8eKJKssRhfIrzM-DJI
Google Search Console 提供了几种声明网站所有权的方法。推荐的方法是下载 HTML 验证文件并将其上传到您的站点。另一种方法是向您的 HTML 添加一个元标记,该标记具有特定的唯一代码作为其 content 属性。
这是我的问题:如果我的网站作为 public 存储库托管在 GitHub 页面上,我上传所述文件或在我的 [=20] 中包含所述元标记是否安全=] 如果其他人可以查看那些?有没有办法让某人以后恶意使用这些文件来访问我的 Google Search Console 帐户 and/or 任何特权站点 traffic/analytics 信息?
它是安全的,并且有been done before。
这是关于 ownership of website, not authentication/authorization to your own Google Search Console(它仍与您的 Google 帐户相关联)。
官方文档是“Google Site Verification API”:
Users can only access certain Google services if their verification data shows that they are the owners of the particular website domain.
You can use the API to generate verification tokens for authenticated users, which your code can place in various ways on your websites or domain records on their behalf.
Once the token is in place, you make a call to the API to ask Google to check for the token.
If Google finds the token, it registers the authenticated user as an owner of the website or domain.All API calls need to be authorized by an authenticated user, and all API calls are executed in the context of the authenticated user's account.
这意味着:即使第三方获得了您的令牌,它也无法对其进行任何操作,因为您(经过身份验证的 Google 帐户用户)不会 授权使用它完成的任何 API 调用。
更具体地说:
Google Site Verification API enforces some restrictions on how it is used:
- Data access for authenticated user only: All operations require user authentication and authorization.
- Verification for authenticated user only: The API can only verify ownership of sites or domains for the currently authenticated account.
However, the authenticated user can delegate ownership to other users after their ownership of a site has been verified.
Note that all owners are notified by email whenever changes are made to the ownership list.- Normalized URLs and domain names only: The Google Site Verification API does not support IDN (International Domain Name) encoding.
Be sure to normalize all URLs, domain names, and email address domains to the standard domain name character set (RFC 1034 §3.5) using Punycoding if necessary.
发布该文件是完全安全的。实际上,如果每个人都将其上传到他们的服务器或将其添加到 meta,那么每个人都会发布它。
任何人都可以通过将文件名附加到任何经过验证的 Google Search Console 站点的 URL 来访问该文件。如果他们将它放在站点的 meta 中,那就更容易了,因为您可以随时查看源代码。您从 google 获得的令牌是完全随机且唯一的。 Google 只是想检查您是否有权访问服务器的文件系统。如果其他人将其上传到他们的网站,您也可以证明他们的网站是您的。 令牌本身无法验证任何内容。
最好的证明就是 YouTube 也发布了它的令牌。如果您对 youtube.com 执行 TXT 查找,您会得到以下结果:
TXT | youtube.com | google-site-verification=OQz60vR-YapmaVrafWCALpPyA8eKJKssRhfIrzM-DJI