document.domain = document.domain 的作用是什么?

发布于 2024-08-06 18:39:18 字数 319 浏览 10 评论 0原文

Orbited(Comet 服务器)的客户端 JS 组件要求,如果服务器运行在不同的域或移植到 JS 本身,您必须

document.domain = document.domain;

在加载任何其他 JS 之前执行。 (请参阅文档。)

这是做什么的?它看起来像一个NOOP! (我查了一下,确实有必要。)

The client-side JS component of Orbited (a Comet server), requires that if the server is running on a different domain or port to the JS itself, you must execute

document.domain = document.domain;

before any other JS is loaded. (See the documentation.)

What does this do? It looks like a NOOP! (I've checked and it is in fact necessary.)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

月竹挽风 2024-08-13 18:39:18

我实际上写了这段代码。

当尝试跨子域/端口 comet 时,iframe 需要与父框架具有相同的 document.domain 值。不幸的是,浏览器在内部存储原始 document.domain 值的域名和端口。但 JavaScript 中的 getter 和 setter 对端口一无所知。所以问题是这样的:如果顶部框架 document.domain('example.com', 80),底部框架是 ('comet. example.com', 80),如何让底部框架也成为 ('example.com', 80)

您不能,因为更改主机名部分必然会导致端口设置为 null,因此您能做的最好的事情就是 ('example.com', null) 在底部框架中。因此,顶部框架也需要设置为该值,并且设置 document.domain=document.domain 就可以做到这一点。它将浏览器中的内部表示从 ('example.com', 80) 更改为 ('example.com', null),然后所有内容都匹配并交叉端口/子域帧通信正常。

I actually wrote this code.

When trying to do cross-subdomain/port comet, the iframe needs to have the same document.domain value as the parent frame. Unfortunately, the browser stores the domain name AND port internally for the original document.domain value. But the getter and setter in javascript knows nothing about the port. So the problem is this: if the top frame document.domain is ('example.com', 80), and the bottom frame is ('comet.example.com', 80), how do you get the bottom frame to be ('example.com', 80) as well?

You can't, as changing the hostname portion will necessarily cause the port to be set to null, so the best you can do is ('example.com', null) in the bottom frame. So the top frame also needs to be set to that value, and setting document.domain=document.domain does just that. It changes the internal representation in the browser from ('example.com', 80) to ('example.com', null) and then everything matches up and cross-port/subdomain frame communication works.

红焚 2024-08-13 18:39:18

浏览器区分
(a) 未明确设置时的 document.domain

(b) 明确设置时的 document.domain
...即使它们返回相同的值。

显式设置该值表示与另一个子域(在同一父域下)上的脚本“合作”的意图。

如果父页面和外部脚本都显式地将 document.domain 设置为相同的值,则可以绕过同源策略限制,并且每个脚本可以访问彼此上下文的所有(否则受限制的)对象和属性。

Browsers distinguish between
(a) document.domain when not explicitly set
and
(b) document.domain when explicitly set
... even if they return the same value.

Explicitly setting the value indicates intent to "cooperate" with a script on another subdomain (under the same parent domain).

If BOTH the parent page AND the external script explicitly set document.domain to the same value, the same-origin policy restriction may be bypassed and each script may access all the (otherwise restricted) objects and properties of each others' contexts.

明天过后 2024-08-13 18:39:18

我在此网站上找到了以下信息:devguru。更具体地说,这是引用:

该属性设置或返回
来源服务器的域名
该文件起源于。这是默认的
到服务器的域名
该文件已取回,但是
可以更改为后缀(并且只有
此名称的后缀)。这允许
共享脚本属性、安全性
允许在交付的文件之间
来自不同的服务器提供他们
共享相同的域名后缀。

在我看来,它允许同一域的跨站点脚本编写(即使子域不同)。

我想如果你不接触 document.domain,js 引擎只允许来自同一域的其他 javascript。借助该属性,您将能够部署到其他子域,例如轨道文档状态。

I found the following info on this site: devguru. More concretely, here's the quote:

This property sets or returns the
domain name of the server from which
the document originated. This defaults
to the domain name of the server that
the document was retreived from, but
can be changed to a suffix (and only a
suffix) of this name. This allows the
sharing of script properties, security
allowing, between documents delivered
from different servers providing they
share the same domain suffix.

It seems to me that it allows cross site scripting for same domain (even if subdomain is different).

I would suppose that if you don't touch document.domain, the js engine only allows other javascripts from same domain. With that property, you'll be able to deploy to other sub-domains like the orbited docs state.

画▽骨i 2024-08-13 18:39:18

如果未明确设置,document.domain 将从实际 URL 中提取默认值。浏览器将记录 document.domain 是否已作为 URL 的默认值或是否已明确设置。两者必须是同一域的默认值,或者必须将两者显式设置为同一域才能正常工作。如果一个是默认的,一个是显式设置的,如果读取则两者都匹配,则两个页面仍将被禁止相互通信。

请参阅:https://developer.mozilla.org/en-US/docs /DOM/document.domain

The document.domain pulls a default from the actual URL if not explicitly set. Browsers will record if document.domain has come as a default from the URL or if it was explicitly set. Both must be a default for the same domain or both must be explicitly set to the same domain for this to work. If one is default and one is explicitly set, both matching if read, the two pages will still be forbidden from talking with each other.

See: https://developer.mozilla.org/en-US/docs/DOM/document.domain

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文