当 URL 设置为运行 JavaScript 时,同域策略如何适用于弹出窗口?
我想做这样的事情:
var w = window.open("javascript: makeAnAjaxRequest();");
我的问题是,Ajax 请求(新窗口打开后执行)是否会被视为跨站点请求?同域策略是否适用于页面创建窗口的原始域?
回应您的一些评论:
someAjaxFunction()
只需发出 Ajax 请求并能够对结果进行操作。我知道该函数必须在我打开的窗口中定义。没问题;我正在使用一个缩小的 ajax 函数,我也可以将其注入到 URL 中。关键是要看看请求有什么限制;即同域策略适用于哪个域?
I want to do something like this:
var w = window.open("javascript: makeAnAjaxRequest();");
My question is, would the Ajax request (executed once the new window opens) be considered a cross-site request? Does the same-domain policy apply to the original domain whose page created the window?
In resposne to some of your comments:
someAjaxFunction()
just has to make an Ajax request and be able to operate on the result. I understand that the function has to be defined in the window I am opening. No problem; I have a minified ajax function that I am using which I can inject into the URL as well. The point is to see what the limitations are of the request; i.e., under which domain will the same-domain policy be applied to?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
来自谷歌的一些信息:http://code.google.com/p/ browsersec/wiki/Part2#Same-origin_policy_for_DOM_access
来自 Mozilla 的信息
所以你的答案是
否则,您将受到限制。
编辑 - 真正的答案
window.open('javascript:doFunction()')
除了打开一个新的空白窗口之外不会执行任何操作,该窗口无法执行任何操作,因为doFunction
未定义。它需要在同一窗口中定义。旁注 我可以通过直接将ajax注入到url中来进行同源xhr请求,但它仍然容易受到同域策略的影响。
在 Firefox 中失败。我还没有在 MSIE 中测试过它。但是
测试:
(失败)Chrome 7(控制台)来自http://stackoverflow.com: 80
(成功)Chrome 7(控制台)来自 http://stackoverflow.com:80
(失败)来自 http://stackoverflow.com:80 的 Firefox 3.6(控制台)
(成功) Firefox 3.6(控制台)来自 http://stackoverflow.com:80
(失败) Firefox 3.6(控制台)来自 http://stackoverflow.com:80
(成功) Firefox 3.6(控制台)来自 http://stackoverflow.com:80
Some info from google: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access
Info from Mozilla
So your answer is
Otherwise, you are restricted.
EDIT - real answer
window.open('javascript:doFunction()')
would not do anything except open a new blank window which fails to do anything becausedoFunction
is not defined. It needs to be defined in the same window.Sidenote I can do the same-origin xhr request by injecting the ajax into the url directly, but it's still susceptible to the same-domain policy.
It fails in Firefox. And I haven't tested it in MSIE yet. But
Tests:
(failure) Chrome 7 ( console ) from http://stackoverflow.com:80
(success) Chrome 7 ( console ) from http://stackoverflow.com:80
(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80
(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80
(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80
(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80
新窗口打开为 about:blank,然后在该窗口的上下文中运行 javascript。根据 meder 的评论,从该窗口发出 AJAX 请求将会失败,因为协议不匹配,因此您将无法打开连接到任何 http: url。
如果你提到你真正想做的事情,而不仅仅是好奇,你的问题可能会得到改善......
The new window opens as about:blank and then runs the javascript in the context of that window. Making AJAX requests from that window, according to meder's comments, would fail because the protocol doesn't match, so you would not be able to open to connect to any http: url.
Your question could be improved if you mention what you really are trying to do, rather than just being curious...