如果域A有域B的iframe,域B也有域A的iframe,域A可以访问域B的cookie吗?
我记得读到过有关如果域 B 内部有辅助框架,则域 A 能够控制域 B 的内容。我有像 StumbleUpon 这样的页面,我将其他网站放置在 iframe 中。如果其中一个网站将我的页面放入 iframe 中怎么办?此外,Facebook 的 Like 按钮和 Twitter 的 Tweet 按钮等都是 iframe。可以/不能访问哪些数据? 他们能够将脚本注入我的页面吗?
I remember reading about domain A being able to control domain B if domain B has a helper frame inside it. I have pages like StumbleUpon, where I place other websites in iframes. What if one of those websites place my page in an iframe? Also, stuff like Facebook's Like button and Twitter's Tweet button are all iframes. What data would/woudn't that have access to?
Would they be able to inject scripts into my page?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,他们无法访问其他域的cookie。
无论您在何处隐藏具有不同域的 iframe,浏览器都会发送为该特定域设置的 cookie。
可以利用
Referer标头创建“赞”按钮。假设,
http://domainA.com/index.html包含Here,当
http://domainB.com/like.html在 iframe 内调用时,HTTP 标头 < code>Referer: http://domainA.com/index.html 随请求一起发送。这样domainB.com/like.html始终知道谁在请求。当domainB.com获得这一小段信息时,它可以检查该页面的点赞数并显示结果。一个实例
将以下代码放入您的任何网站中。之后,每次刷新网站时,它都会显示其加载次数。它会计算点击次数。
No, they can not access other domains cookie.
No matter where you hide an iframe with different domain, browser will always send cookies that were set for that specific domain.
Like button can be created utilizing
Refererheader.Say,
http://domainA.com/index.htmlcontainsHere when
http://domainB.com/like.htmlis called inside the iframe an HTTP headerReferer: http://domainA.com/index.htmlis sent along with the request. This waydomainB.com/like.htmlalways knows who is requesting. WhendomainB.comgot this little piece for information it can just check the number of likes of the page and show the result.A live example
Put the bellow code in any of your websites. After that every time you refresh the the website it'll show how many times its loaded. It'll count the number of hits.
这并不能解决你的问题。仅仅因为他们嵌入了您网站的 iframe,并不意味着您的网站可以更好地访问其他网站中的 cookie、脚本等。
This would not solve your problem. Just because they have an iframe of your site embedded doesn't mean your site has any greater access to cookies, scripts, etc in the other site.
您的网站无法访问 iframe 中的其他域,并且该其他域也无法访问您的网站。但是,如果 iframe 与父级位于同一域下,则可以通过 javascript 访问它。
在这里阅读更多信息:http://pipwerks。 com/2008/11/30/iframes-and-cross-domain-security-part-2/
编辑:这里有一些更好的阅读http://javascript.info/tutorial/same-origin-security-policy
编辑2:关于您关于 Facebook Like 按钮等的问题。这取决于您如何将 Like 按钮添加到您的页面。如果您通过内联 javascript 添加它,则 javascript 将可以访问您网站上的所有内容。但是,如果它只是插入到文档中的 iframe,它将无法访问页面上的任何内容
Your site can't access another domain in an iframe, and that other domain can't access your site. However, if the iframe is under the same domain as the parent, it can be accessed via javascript.
Read more here: http://pipwerks.com/2008/11/30/iframes-and-cross-domain-security-part-2/
Edit: Here's some more good reading http://javascript.info/tutorial/same-origin-security-policy
Edit2: Regarding your questions about Facebook Like button etc. That depends on how you add the like button to your page. If you add it via a inline javascript that javascript will have access to everything on your site. However if its just an iframe inserted into the document it won't have access to anything on your page
不可以,同源策略禁止访问:除非两个文档具有相同的来源(基本上URL 中的协议、主机和端口号相同),在源中运行的脚本无法访问另一个文档的 DOM,除非它位于同一源中。
但这些“社交插件”通常是通过从服务器加载外部脚本来嵌入的。在这种情况下,外部脚本将被加载,然后在页面的原始位置执行。因此同源策略不适用。在这种情况下,这些脚本将能够访问 JavaScript 可以访问的任何 cookie(即没有 HttpOnly 标志)。
No, the Same-Origin Policy forbids the access: Unless the two documents have the same origin (basically same protocol, host, and port number in URL), scripts running in origin cannot access another document’s DOM unless it’s in the same origin.
But those ‘social plugins’ are often embedded by loading an external script from their servers. In that case the foreign script is loaded and then executed in the origin of your page. So the Same-Origin Policy does not apply. In that case those scripts would be able to access any cookie that is accessible by JavaScript (i. e. no HttpOnly flag).