当 URL 设置为运行 JavaScript 时,同域策略如何适用于弹出窗口?

发布于 2024-10-01 10:51:48 字数 348 浏览 4 评论 0原文

我想做这样的事情:

var w = window.open("javascript: makeAnAjaxRequest();");

我的问题是,Ajax 请求(新窗口打开后执行)是否会被视为跨站点请求?同域策略是否适用于页面创建窗口的原始域?

回应您的一些评论:

someAjaxFunction() 只需发出 Ajax 请求并能够对结果进行操作。我知道该函数必须在我打开的窗口中定义。没问题;我正在使用一个缩小的 ajax 函数,我也可以将其注入到 URL 中。关键是要看看请求有什么限制;即同域策略适用于哪个域?

I want to do something like this:

var w = window.open("javascript: makeAnAjaxRequest();");

My question is, would the Ajax request (executed once the new window opens) be considered a cross-site request? Does the same-domain policy apply to the original domain whose page created the window?

In resposne to some of your comments:

someAjaxFunction() just has to make an Ajax request and be able to operate on the result. I understand that the function has to be defined in the window I am opening. No problem; I have a minified ajax function that I am using which I can inject into the URL as well. The point is to see what the limitations are of the request; i.e., under which domain will the same-domain policy be applied to?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

梦明 2024-10-08 10:51:48

来自谷歌的一些信息:http://code.google.com/p/ browsersec/wiki/Part2#Same-origin_policy_for_DOM_access

在没有附加限定符的情况下,术语“同源策略”最常指的是一种机制,用于控制 JavaScript 和其他脚本语言跨域访问 DOM 属性和方法的能力(参考)。本质上,该模型可归结为以下三步决策过程:

如果两个交互页面的协议、主机名和端口号(对于 Microsoft Internet Explorer 以外的浏览器)匹配,则授予访问权限,无需进一步检查。
任何页面都可以将 document.domain 参数设置为其当前主机名的右侧完全限定片段(例如,foo.bar.example.com 可以将其设置为 example.com,但不能将其设置为ample.com)。如果两个页面明确且相互地将各自的 document.domain 参数设置为相同的值,并且满足其余的同源检查,则授予访问权限。
如果以上条件都不满足,则拒绝访问。

来自 Mozilla 的信息


我无法访问新的辅助窗口的属性。我总是在 javascript 控制台中收到错误消息“错误:未捕获的异常:获取属性的权限被拒绝。为什么会这样?

这是因为跨域脚本安全限制(也称为“同源策略”)。从不同来源(域名)加载到窗口(或框架)中的脚本无法获取或设置另一个窗口(或框架)的属性或其来自另一个不同来源(域名)的任何 HTML 对象的属性。因此,在执行针对辅助窗口的脚本之前,主窗口中的浏览器将验证辅助窗口是否具有相同的域名。
有关跨域脚本安全限制的更多阅读:http://www. mozilla.org/projects/secu...me-origin.html

所以你的答案是

  1. 因此,如果协议、主机名和端口与除 IE 之外的所有浏览器匹配,则它是同一个域
  2. 如果协议和主机名与 IE 匹配,则它是同一域。

否则,您将受到限制。

编辑 - 真正的答案

window.open('javascript:doFunction()') 除了打开一个新的空白窗口之外不会执行任何操作,该窗口无法执行任何操作,因为 doFunction 未定义。它需要在同一窗口中定义。

旁注 我可以通过直接将ajax注入到url中来进行同源xhr请求,但它仍然容易受到同域策略的影响。

x = window.open('javascript:x = new XMLHttpRequest; x.open("GET", "http://medero.org", false); x.onreadystatechange = function(){ if ( x.readyState != 4 ) { return; }; alert(x); alert( x.responseText );}; try {x.send(null); } catch (e) { alert(e)}; alert("ok"); ');

在 Firefox 中失败。我还没有在 MSIE 中测试过它。但是

测试:

失败)Chrome 7(控制台)来自http://stackoverflow.com: 80

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
TypeError: Cannot read property 'body' of undefined

成功)Chrome 7(控制台)来自 http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

失败)来自 http://stackoverflow.com:80 的 Firefox 3.6(控制台)

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
Permission denied for <http://stackoverflow.com> to get property Window.document from <http://www.google.com>.

成功) Firefox 3.6(控制台)来自 http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

失败) Firefox 3.6(控制台)来自 http://stackoverflow.com:80

$.ajax({
   url:'http://bing.com',
   success:function(data) {
      alert(data) // blank alert
   }
})

成功) Firefox 3.6(控制台)来自 http://stackoverflow.com:80

$.ajax({
   url:'http://stackoverflow.com',
   success:function(data) {
      alert(data) // success
   }
})

Some info from google: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access

With no additional qualifiers, the term "same-origin policy" most commonly refers to a mechanism that governs the ability for JavaScript and other scripting languages to access DOM properties and methods across domains (reference). In essence, the model boils down to this three-step decision process:

If protocol, host name, and - for browsers other than Microsoft Internet Explorer - port number for two interacting pages match, access is granted with no further checks.
Any page may set document.domain parameter to a right-hand, fully-qualified fragment of its current host name (e.g., foo.bar.example.com may set it to example.com, but not ample.com). If two pages explicitly and mutually set their respective document.domain parameters to the same value, and the remaining same-origin checks are satisfied, access is granted.
If neither of the above conditions is satisfied, access is denied.

Info from Mozilla

I can not access the properties of the new secondary window. I always get an error in the javascript console saying "Error: uncaught exception: Permission denied to get property . Why is that?

It is because of the cross-domain script security restriction (also referred as the "Same Origin Policy"). A script loaded in a window (or frame) from a distinct origin (domain name) cannot get nor set properties of another window (or frame) or the properties of any of its HTML objects coming from another distinct origin (domain name). Therefore, before executing a script targeting a secondary window, the browser in the main window will verify that the secondary window has the same domain name.
More reading on the cross-domain script security restriction: http://www.mozilla.org/projects/secu...me-origin.html

So your answer is

  1. So, if the protocol and hostname and port match for all browsers but IE, it's the same domain
  2. If the protocol and hostname match for IE, it's the same domain

Otherwise, you are restricted.

EDIT - real answer

window.open('javascript:doFunction()') would not do anything except open a new blank window which fails to do anything because doFunction is not defined. It needs to be defined in the same window.

Sidenote I can do the same-origin xhr request by injecting the ajax into the url directly, but it's still susceptible to the same-domain policy.

x = window.open('javascript:x = new XMLHttpRequest; x.open("GET", "http://medero.org", false); x.onreadystatechange = function(){ if ( x.readyState != 4 ) { return; }; alert(x); alert( x.responseText );}; try {x.send(null); } catch (e) { alert(e)}; alert("ok"); ');

It fails in Firefox. And I haven't tested it in MSIE yet. But

Tests:

(failure) Chrome 7 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
TypeError: Cannot read property 'body' of undefined

(success) Chrome 7 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
Permission denied for <http://stackoverflow.com> to get property Window.document from <http://www.google.com>.

(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80

$.ajax({
   url:'http://bing.com',
   success:function(data) {
      alert(data) // blank alert
   }
})

(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80

$.ajax({
   url:'http://stackoverflow.com',
   success:function(data) {
      alert(data) // success
   }
})
请帮我爱他 2024-10-08 10:51:48

新窗口打开为 about:blank,然后在该窗口的上下文中运行 javascript。根据 meder 的评论,从该窗口发出 AJAX 请求将会失败,因为协议不匹配,因此您将无法打开连接到任何 http: url。

如果你提到你真正想做的事情,而不仅仅是好奇,你的问题可能会得到改善......

The new window opens as about:blank and then runs the javascript in the context of that window. Making AJAX requests from that window, according to meder's comments, would fail because the protocol doesn't match, so you would not be able to open to connect to any http: url.

Your question could be improved if you mention what you really are trying to do, rather than just being curious...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文