同源策略和外部脚本
我的任务是集成 AdBrite 的广告代码。
这是我得到的代码片段,经过清理以删除我们的标识符:
<script type="text/javascript">
var AdBrite_Title_Color = '3D81EE';
var AdBrite_Text_Color = '000000';
var AdBrite_Background_Color = 'FFFFFF';
var AdBrite_Border_Color = 'CCCCCC';
var AdBrite_URL_Color = '008000';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
</script>
<script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=sanitized&zs=sanitized&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=sanitized&afsid=1" style="font-weight:bold;font-family:Arial;font-size:13px;">Your Ad Here</a></div>
它通过写入 DOM 从 Adbrite 服务器加载远程脚本。 String.fromCharCode 巧妙地为
我的问题是:为什么这有效?难道浏览器不会认为这是违反同源政策的吗?
顺便说一句,促使我对此进行调查的原因是我有 无法正确转义 URL 参数,然后在 GWT 的 UIBinder 中取消转义。
谢谢
I've been tasked with integrating ad code from AdBrite.
This is the snippet I've been given, sanitized to remove our identifiers:
<script type="text/javascript">
var AdBrite_Title_Color = '3D81EE';
var AdBrite_Text_Color = '000000';
var AdBrite_Background_Color = 'FFFFFF';
var AdBrite_Border_Color = 'CCCCCC';
var AdBrite_URL_Color = '008000';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
</script>
<script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=sanitized&zs=sanitized&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=sanitized&afsid=1" style="font-weight:bold;font-family:Arial;font-size:13px;">Your Ad Here</a></div>
It's loading a remote script from the Adbrite servers by writing to the DOM. The String.fromCharCode cleverly writes out the ASCII chars for <script> in order to reference the remote Javascript file.
My question is: why does this work? Don't browsers recognize this as a violation of the Same Origin Policy?
BTW, what prompted my investigation of this was the fact that I'm having trouble getting the URL params to be properly escaped and then un-escaped in GWT's UIBinder.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
同源策略适用于 AJAX 请求。加载远程脚本不受此规则的约束,因此可能存在 JSONP 之类的解决方案。
Same origin policy applies to AJAX requests. Loading remote scripts is not governed by this rule, hence solutions like JSONP might exists.