未来的安全措施会限制 JSONP 的跨域异步功能吗?
未来同源策略或其他浏览器安全措施的修订是否存在阻止 JSONP 跨域异步请求能力的风险?
如果开发人员打算在公共环境中提供异步功能,则必须考虑这一点。
Is there a risk that future revisions of the Same Origin Policy or other browser security measures could prevent the cross-domain asynchronous request capability of JSONP?
This would have to be taken into consideration if a developer intends to provide asynchronous capabilities in a public environment.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于 JSONP 依赖
script
标签进行传输,我认为它应该相对安全:禁用对另一个域上的脚本的访问将是对网络工作方式的重大改变。 JSONP 故意围绕同源策略工作,并且需要对浏览器处理脚本的方式进行根本性改变才能使其失败。除非所有外部脚本以某种方式因与应用程序交互而被沙箱化(这会破坏各处的站点),否则 JSONP 应该保持安全。
另外,随着越来越多的浏览器引入跨域支持(如 Flash 的 crossdomain.xml),我想我们“信任”脚本的能力只会增加。
As JSONP relies on
script
tags for transport, I would think it should be relatively safe: disabling access to scripts on another domain would be a big change to the way the web works. JSONP deliberately works around the same origin policy, and it would take a fundamental change to the way browsers process scripts for it to fail.Unless all external scripts somehow become sandboxed from interacting with your application (which would break sites everywhere), JSONP should stay safe.
Plus, as more and more browsers introduce cross-domain support a la Flash's crossdomain.xml, I would imagine our abilities to "trust" scripts will only increase.