好的,这很奇怪。
我已经知道起源是什么( https:// https://developer.mozilla.orgg/ en-us/doc/clossary/oneration ),如何正确使用“访问控制”标题,依此类推,但这是以前从未观看的。
我有一个“父亲”窗户。
此窗口正在通过窗口打开一个“孩子”窗口。
提供的URL是父亲窗口的相同URL:
var childWindow = window.open(window.location.href);
当父亲窗口尝试访问Childwindow的属性时,它获得了交叉原始错误:
childWindow.data;
> Uncaught DOMException: Blocked a frame with origin XXXXXXXXXXXXX from accessing a cross-origin frame.
有趣的是:在“父亲”窗口的浏览器开发人员控制台中,输入
window.location.origin;
打印原点(例如 http:// abc )
,在“儿童”窗口的浏览器开发人员控制台中,打印
window.location.origin;
prints 相同的来源(类似于 http:// abc )
注:这里不涉及iframe。 window.location.href URL响应200个OK(不是302或其他内容),以及带有某些CSS和脚本的简单页面HTML。
注释2:两个说明是按顺序执行的。在中间没有其他代码。
注意#3:显然xxxxxxxxxxx不是真正的起源,我省略了它出于隐私问题。但这就像 http:// abc (隐式端口80)
注释#4:在这里不相关,因为它也应起作用没有它,但是window.location.href url正在用响应标头“访问控制 - 允许 - 孔”响应: *
是否想到?
Ok, so this is weird.
I already know what on origin is (https://developer.mozilla.org/en-US/docs/Glossary/Origin), how to correctly use the "Access-Control-Allow-Origin" header, and so on, but this is something never view before.
I have a "father" window.
This window is opening a "child" window through the window.open(url) method.
the url provided is the same url of the father window:
var childWindow = window.open(window.location.href);
When the father window try to access to a property of the childWindow, it obtains the cross-origin error:
childWindow.data;
> Uncaught DOMException: Blocked a frame with origin XXXXXXXXXXXXX from accessing a cross-origin frame.
Interesting thing is: in the browser developer console of "father" window, typing
window.location.origin;
prints the origin (something like http://a.b.c)
and in the browser developer console of "child" window, typing
window.location.origin;
prints esactly the same origin (something like http://a.b.c)
Notes: there are no iframes involved here. The window.location.href URL is responding with 200 OK (not 302 or other things) and a simple page html with some css and scripts.
Note #2: the two instructions are executed sequentially. In the middle there are no other codes.
Note #3: obviously XXXXXXXXXXX is not the real origin, I omitted it for privacy concerns. But it is something like http://a.b.c (implicit port 80)
Note #4: is not relevant here because it should also work without it, but the window.location.href URL is responding with the response header "Access-Control-Allow-Origin": *
Any thought?
发布评论