window.name作为数据传输:一种有效的方法? [英] window.name as a data transport: a valid approach?
问题描述
概述和原始问题
window.name 是一个有趣的野兽。 MDN的描述提示原始意图:
window.name is an interesting beast. MDN's description hints at the original intent:
窗口名称主要用于设置超链接和表单的目标。 Windows不需要有名字。
The name of the window is used primarily for setting targets for hyperlinks and forms. Windows do not need to have names.
所以,这意味着我们可以在这个窗口中打开控制台,并写:
So, this means we can open the console in this window, and write:
var win = window.open('http://google.com', 'el goog');
...然后让它通过弹出窗口拦截器,应该在窗口中打开google.com名为el goog。由于同源策略,我无法访问 win 的名称属性,但是如果我打开一个控制台在新窗口中输入 name ,我将获得el goog。
...and then let it through the popup blocker, that should open google.com in a window named "el goog." I can't access the name property of win because of the same-origin policy, but if I open a console in the new window and type name, I'll get "el goog".
如果我将窗口发送回我打开的域(在本例中为stackoverflow.com),我可以获得 name 属性,它没有改变。
If I send the window back to the domain I opened it from (in this case stackoverflow.com), I can get the name property, and it hasn't changed.
win.location.replace(location.href);
win.name; // "el goog"
这意味着我们可以设置一种跨域会话存储窗口的名称属性。
This means we can have a kind of cross-domain session store by setting the name property of a window.
如果google.com 已更改值 window.name 在窗口被发送回原始域之前,我们会看到新值而不是el goog。这可以用作跨域数据传输,类似于JSONP或CORS的实用程序。
If google.com had changed the value of window.name before the window was sent back to the original domain, we'd see the new value instead of "el goog." This could be used as a cross-domain data transport, similar in utility to JSONP or CORS.
我做了一些搜索以尝试查找更多信息,显然dojo 认为它是合法的作为交通工具。但不知何故,这并不能完全让我放心。所以我的问题是,是否有任何信誉良好的网站使用 window.name 作为数据传输?我认为这很容易被发现,因为他们的文档会说添加'回调'到JSONP的查询字符串,或者为window.name添加'无论什么',但是我从来没有见过这样的东西。有没有人在野外发现过这个?
I did a bit of searching to try to find more info, and apparently dojo thinks it's legit as a transport. Somehow, though, that doesn't completely reassure me. So my question is, are any reputable sites using window.name as a data transport? I'd think it would be easily spotted, because their docs would say something like "add 'callback' to the query string for JSONP, or add 'whatever' for window.name," but I've never seen anything like that. Has anyone actually spotted this in the wild?
替代问题
可能没有人真正使用这种技术;如果那是真的那么(正如Rob W指出的那样)上面的问题是无法回答的。所以,我的另一个问题是,这种方法有什么问题?这可能有助于解释为什么它还没有真正被采用。
It may be the case that nobody is really using this technique; if that's true then (as Rob W pointed out) the question above is unanswerable. So, my alternate question is, what are the problems with this approach? This might help explain why it hasn't really been adopted.
正如我所看到的,这种方法比JSONP至少有两个好处。
As I see it, there are at least two benefits to this approach over JSONP.
-
使用JSONP,您可以信任来自外国的脚本在您的域上运行。使用
window.name,恶意网站包含的任何脚本都可以在自己的域中运行。
With JSONP, you trust a script from a foreign origin to run on your domain. With
window.name, any scripts included by a malicious site would run on their own domain.
使用JSONP,无法传递大数据(对于URL来说太大了),也无法进行HTTP POST。使用 window.name ,我们可以发布任意大小的任意数据。
With JSONP, there is no way to pass in big data (anything too big for a URL), and no way to make an HTTP POST. With window.name, we can post arbitrary data of any size.
有什么缺点?
实施示例
以下是客户端实现的一个非常简单的示例。这不处理POST请求,只处理GET。
Here is a very simple example of a client implementation. This doesn't handle POST requests, only GET.
function fetchData(url, callback) {
var frame = document.createElement('iframe');
frame.onload = function() {
frame.onload = function() {
callback(frame.contentWindow.name);
frame.parentNode.removeChild(frame);
}
frame.src = 'about:blank';
}
frame.src = url;
document.body.appendChild(frame);
}
// using it
fetchData('http://somehost.com/api?foo=bar', function(response) {
console.log(response);
});
我已经设置了一个小提琴来测试它这里。
它使用此脚本作为测试服务器。
I've set up a fiddle to test it out here. It uses this script as a test server.
这是一个稍微长一点的例子,可以发出POST请求: http:// jsfiddle.net/n9Wnx/2/
Here is a slightly longer example that can make POST requests: http://jsfiddle.net/n9Wnx/2/
摘要
据我所知, window.name 并没有成为数据传输。我想知道我的感知是否准确(因此是原始问题),如果是这样,我想知道为什么就是这种情况。我列出了 window.name 似乎超过JSONP的一些优点。任何人都可以找出可能导致阻止采用这种技术的一些缺点吗?
As far as I can tell, window.name has not caught on as a data transport. I wonder if my perception is accurate (thus the original question) and if so, I wonder why this is the case. I've listed a few advantages that window.name seems to have over JSONP. Can anyone identify some disadvantages that might have contributed to preventing adoption of this technique?
更重要的是,任何人都可以给我一个坚实的理由为什么我不应该使用 winow.name 作为数据传输?
More to the point, can anyone give me a solid reason why I shouldn't use winow.name as a data transport?
推荐答案
window.name 作为运输工具不是特别好作为(AFAIK),当它发生变化时,它不会触发任何事件。因此,试图使用 window.name 作为双向通信渠道的应用程序必须轮询它以进行更新。
window.name isn't particularly good as a transport, as (AFAIK) it doesn't fire any events when it's changed. As a result, an application which was trying to use window.name as a two-way communications channel would have to poll it for updates.
对于实际使用它的网站:我从未听说过任何网站。可能有一些,但我只是从纯粹的理论意义上听说过这种技术。
As far as sites that actually use it: I've never heard of any. There might be some, but I've only heard this technique discussed in a purely theoretical sense.
这篇关于window.name作为数据传输:一种有效的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
