<脚本>src 替换 - 沙箱破坏者 - 它会持续吗?

发布于 2024-11-01 03:32:56 字数 753 浏览 8 评论 0原文

大家好,我正在开发一个允许嵌入代码的网络 do-dad。

在此特定嵌入中,通过 javascript 将 iframe 添加到页面来代替嵌入代码。我现在可以控制用户的页面,并且由于我也从 javascript 编写 iframe 的内容,所以可以控制 iframe 页面。这样做(而不是从我们的服务器获取 iframe)让我们可以与 iframe 进行对话以执行一个很酷的技巧。

问题: iframed 页面仍然需要从我们的服务器获取 ajax 内容。沙盒问题!在我看来,解决方案是

有人告诉我,大多数浏览器的这种能力都处于待宰状态。这是真的吗?糟糕的!在我的(诚然简短的)研究中,我找不到任何与此效果相关的内容,尽管我会去找专家,

  • AdWords 是如何运作的?他们需要打电话回家,对吗?他们是怎么做到的?
  • 据我了解,即将推出的跨站点 XHR 内容将弹出安全对话框 - 这是真的吗?
  • 有人可以推荐其他不会弹出安全对话框的沙箱破坏技术吗?

(是的,我知道安全问题 - 我们穿着防护服之类的)

谢谢!

Hey people, I am working on a web do-dad which allows has an embed code.

In this particular embed, an iframe is added to the page in place of the embed code via javascript. I now have control of the user's page, and, since I am writing the content of the iframe from javascript as well, control of the iframed page. Doing this (as opposed to sourcing my iframe from our server) lets us talk to the iframe to do a cool trick.

THE PROBLEM:
the iframed page still needs to ajax stuff from our server. Sandbox issues! The solution, it seemed to me was <script> src replacement - essentially replacing our ajax procedure with a sandbox-breaker version.

I have been told that this ability of most browsers is on the chopping block. is this true? terrible! I can't find anythign to this effect in my (admittedly brief) research, and though i'd go to the experts

  • is <script> src replacement a viable mechanism to pull off sandbox-breaker type effects?
  • is <script> src replacement viable at all?
  • how do adwords work? they need to call home, right? How do they do that?
  • I understand that the soon-to-be available cross site XHR stuff will pop security dialogs - is this true?
  • Can anybody recommend and other sandbox breaker technique that won't pop a security dialog?

(yes I am aware of the security concerns - We are wearing protection and whatnot)

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

凉城 2024-11-08 03:32:56

src替换是一个可行的机制吗
实现沙盒破坏者类型
效果如何?

是的

src 替换是否可行?

是的。这就是最初的 AJAX。

AdWords 是如何运作的?他们需要打电话
家,对吗?他们是如何做到的?

AdWords 基于您网站的屏幕抓取。这是与上下文相关的。除非您知道如何使用 URL 哈希技术,否则不会抓取 Ajax 内容。

据我了解,不久的将来
可用的跨站点 XHR 内容将
弹出安全对话框 - 这是真的吗?

托管页面需要明确允许这一点,是的。

有人可以推荐吗?
沙盒破坏者技术不会
弹出安全对话框?

使用闪存。

is src replacement a viable mechanism
to pull off sandbox-breaker type
effects?

Yes

is src replacement viable at all?

Yes. This was the original AJAX.

how do adwords work? they need to call
home, right? How do they do that?

Adwords are based on a screen-scrape of your site. It is context-related. Ajax content is not scraped unless you know how to use URL hash techniques.

I understand that the soon-to-be
available cross site XHR stuff will
pop security dialogs - is this true?

The hosting page would need to explicitly allow this, yes.

Can anybody reccomend and other
sandbox breaker technique that won't
pop a security dialog?

Use Flash.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文