同源策略和外部脚本

发布于 2024-11-02 09:45:53 字数 1558 浏览 4 评论 0原文

我的任务是集成 AdBrite 的广告代码。

这是我得到的代码片段,经过清理以删除我们的标识符:

<script type="text/javascript">
var AdBrite_Title_Color = '3D81EE';
var AdBrite_Text_Color = '000000';
var AdBrite_Background_Color = 'FFFFFF';
var AdBrite_Border_Color = 'CCCCCC';
var AdBrite_URL_Color = '008000';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
</script>
<script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=sanitized&zs=sanitized&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=sanitized&afsid=1" style="font-weight:bold;font-family:Arial;font-size:13px;">Your Ad Here</a></div>

它通过写入 DOM 从 Adbrite 服务器加载远程脚本。 String.fromCharCode 巧妙地为

我的问题是:为什么这有效?难道浏览器不会认为这是违反同源政策的吗?

顺便说一句,促使我对此进行调查的原因是我有 无法正确转义 URL 参数,然后在 GWT 的 UIBinder 中取消转义。

谢谢

I've been tasked with integrating ad code from AdBrite.

This is the snippet I've been given, sanitized to remove our identifiers:

<script type="text/javascript">
var AdBrite_Title_Color = '3D81EE';
var AdBrite_Text_Color = '000000';
var AdBrite_Background_Color = 'FFFFFF';
var AdBrite_Border_Color = 'CCCCCC';
var AdBrite_URL_Color = '008000';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
</script>
<script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=sanitized&zs=sanitized&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=sanitized&afsid=1" style="font-weight:bold;font-family:Arial;font-size:13px;">Your Ad Here</a></div>

It's loading a remote script from the Adbrite servers by writing to the DOM. The String.fromCharCode cleverly writes out the ASCII chars for <script> in order to reference the remote Javascript file.

My question is: why does this work? Don't browsers recognize this as a violation of the Same Origin Policy?

BTW, what prompted my investigation of this was the fact that I'm having trouble getting the URL params to be properly escaped and then un-escaped in GWT's UIBinder.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

夏日落 2024-11-09 09:45:53

同源策略适用于 AJAX 请求。加载远程脚本不受此规则的约束,因此可能存在 JSONP 之类的解决方案。

Same origin policy applies to AJAX requests. Loading remote scripts is not governed by this rule, hence solutions like JSONP might exists.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文