跨不同域访问 iframe 元素
据我所知,跨站点脚本(xss)不好,并且大多数浏览器都不支持。 然而,我正在构建一个仅供公司内大约 3 或 4 人使用的页面。 在此页面上,我有一个来自另一个域的框架,我需要父页面能够访问该框架内的值。
所以我的问题是,在 Firefox 或 IE7 中是否有办法(更改设置等)允许这种情况发生? 最好(但不一定)任何设置更改都明确针对我的域。
我在网上找到了一些帮助,说在FF中你可以添加capability.policy来允许这样做。 不过我没那么幸运,也许 FF3 不支持这一点。
I understand that cross site scripting (xss) is not good and is not supported in most browsers. However, I am building a page to be used only by about 3 or 4 people within my company. On this page I have a frame from another domain and I need the parent page to be able to access the values within that frame.
So my question is, is there a way (changing settings, etc), in either Firefox or IE7, to allow this to happen? Preferably (though not necessarily) any setting change would be for my domain explicitly.
I've found some help online that says that in FF you can add capability.policy to allow this. I haven't had any luck though, perhaps that isn't supported in FF3.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
对于那些寻找的人来说,有一种很好的向后兼容、仅限 JavaScript 的跨域通信方式。 代码也简短、简单。 完美的解决方案? 只要您请求修改父级和子级:
http: //www.onlineaspect.com/2010/01/15/backwards-company-postmessage/
For those looking, there is a great backwards-compatible, javascript-only way to communicate across domains. Short, easy code as well. Perfect solution? As long as you have request modifications to the parent and the child:
http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/
我的一些想法:
在 IE 中,您可以更改站点所在安全区域的设置。我建议您将域添加到“受信任的站点”,然后确保“”访问数据跨域源。”已为受信任站点区域启用。您可以找到更多信息 此处。
如果您有一个可以控制的域名,也许您可以设置指向不同框架中的站点的子域? 从而愚弄网络浏览器,认为它们是同一站点的一部分?
如果您喜欢编码,您可以创建一个使用 IE 浏览器控件并实现其自己的 IInternetSecurityManager 的自定义应用程序 (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) 允许跨域脚本访问。
A couple ideas of the top of my head:
In IE you can change the settings for the security zone that your site is in. I suggest you add the domains to "Trusted sites" and then make sure that ""Access data sources across domains." is enabled for the Trusted Sites-zone. You can find more info here.
If you have a domain-name which you have control over, maybe you can set up sub-domains which point to the sites in the different frames? Thereby fooling the web browser that they are part of the same site?
If you like coding you can create a custom app which uses the IE-browser control and implements its own IInternetSecurityManager (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) which allows cross-domain script access.
另一种选择是设置代理页面,使页面看起来源自同一域。 代理页面可能非常容易受到 XSS 攻击,具体取决于实现方式。 尽管您声明这不是问题,但考虑这一点很重要。
Another option is to set up a proxy page so that the pages appear to originate in the same domain. Proxy pages can be terribly vulnerable to XSS, depending on implementation. Even though you state that that's not a concern here, it's important to consider.