让我们完全在客户端使用脚本标签解决跨域ajax
我知道,有 JSONP,它涉及服务器合作来对数据进行命名空间。
令我困扰的是,脚本标签 src 的内容已被评估,但它不可供读取。
<script src="http://www.google.com"></script>
我们需要弄清楚的是如何命名数据,仅此而已。 当然,我尝试了非常愚蠢的事情,但没有相关结果(我知道这不起作用,但你可以看到我想要实现的目标):
<script>eval('var namespace="');</script>
<script src="http://www.google.com"></script>
<script>eval('";');</script>
因为实际上没有关于 src 如何实现的相关信息内容被评估,我知道它是全局范围的,但是如果我们可以跟踪评估步骤或者可能链以某种方式评估范围(也没有太多关于此的文档),我们可以解决这个恼人的“评估”但不可读”的事情。
有任何想法吗?
I know, there's JSONP, which involves server cooperation to name-space the data.
What is bothering me is the fact that the content of script tag src is evaluated, but it's NOT available to read.
<script src="http://www.google.com"></script>
All we need to figure out is how to namespace the data, that's all.
Of course I tried pretty idiotic things with no relevant result (I know this doesn't work, but you can see what I'm trying to achieve):
<script>eval('var namespace="');</script>
<script src="http://www.google.com"></script>
<script>eval('";');</script>
Since there's really no relevant info on how the src content is evaluated, I know it's global scope, but if we could trace evaluation steps or maybe chain evals scope somehow (not much documentation about this as well), we could solve this annoying "evaluated but not readable" thing.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
HTML5 提供了
window.postMessage,它提供了一种安全跨域消息传递的机制,并且受到 Firefox 3、Opera 9.6 和 WebKit nightlies 的支持。也就是说,您上面的建议不起作用,因为它需要与 javascript 的
eval完全不同的行为。eval在当前上下文中解析并执行给定的字符串 - 您所请求的是 eval 更改包含函数的实际代码。 例如。会变成
意味着 for 循环变空,并且 doSomething 只会被调用一次。 显然,这将导致难以理解语义,并且大大降低了使用安全性,因为 eval 将获得直接影响控制流的能力。
HTML5 provides
window.postMessagewhich provides a mechanism for safe cross domain messaging, and is supported by Firefox 3, Opera 9.6, and WebKit nightlies.That said your suggestion above cannot work because it requires fundamentally different behaviour from javascript's
eval.evalparses and executes the given string in the current context -- what you're requesting is that eval change the actual code of the containing function. eg.would become
meaning the for-loop becomes empty, and
doSomethingwould only be called once. Clearly this would result in incredibly difficult to comprehend semantics, as well as making it substantially less safe to use, as eval would gain the ability to directly influence control flow.由于浏览器安全策略,我不确定这是否可能。
I'm not sure this is at all possible due to browser security policies.
我倾向于说离开它。 这类问题将会得到解决,但不是通过破坏我们已有的东西来解决的。 在这方面,网络从根本上被破坏了。 事实上,来自一个域的任何脚本都可以在另一个域上执行,这是一个严重的安全漏洞,如果不加以控制,将阻碍网络的发展。
http://www.slideshare.net/webdirections/douglas-crockford- ajax-安全演示
I'm inclined to say leave it. These kind of issues will be solved, but not by hacking around what we already have. The web is fundamentally broken in that regard. The fact that any script from one domain can be executed on another is a severe security vulnerability that will hamper the growth of the web if left unchecked.
http://www.slideshare.net/webdirections/douglas-crockford-ajax-security-presentation