跨域JavaScript父位置设置firefox错误 [英] Cross Domain JavaScript parent location setting firefox error

问题描述

在这种情况下：

页面A包含iframe B，B包含iframe C，A和B在同一域下，C在另一个域下。
C尝试使用＃之后的额外信息重置父B的位置，以使用Fragment Id Messaging解决跨域通信。
IE6 / 7/8只适用于这种情况，而Firefox会阻止 parent.location 设置出现错误消息[访问遭到拒绝的资源代码：1010 ]。
但是如果B是顶层窗口，意思是没有A，Firefox也存在。


对我来说奇怪...你能请帮忙吗？

历史上，任何窗口都可能改变任何其他窗口的位置。这证明是一个问题，因为，除其他事项，这意味着嵌入一个登录iframe在一个窗口是不安全的（因为那么一个恶意网站可以替换登录iframe与欺骗版本）。随着时间的推移，对浏览器窗口的位置更改已应用进一步的限制，直到现在， HTML5 和大多数浏览器已在祖先政策上达成共识。简而言之，改写HTML5规范，窗口A可以改变另一个窗口B的位置iff：

• A和B的位置具有相同的来源，也就是说它们具有相同的方案，主机和端口（例如http，stackoverflow.com，80）或


• B是顶级窗口，并且A是嵌套在B（直接孩子，孩子的孩子等）内的某个深度的框架中的窗口，或


• B是使用<$ c $打开的窗口c> window.open 并且A可以更改打开B的窗口的位置（因此B是由A打开的弹出窗口，由A打开的弹出窗口或更大的深度）或


• B不是顶级窗口，而是其父窗口或其父级父窗口，或者在某些类似量的父级窗口中，该窗口和A的位置是同源的

（同源起源比这更复杂，但上面的嵌入式描述抓住了它的本质，涵盖了最常见的情况。）

根据此政策，C可能会更改A的位置，A可能会更改B或C的位置，但C不能更改B的位置。如果您需要工作那么您应该将您的网页A的位置更改为适当更改B的位置;或者，您可以要求您的信息页B更改自己的位置。 p>

希望这是翔实的，如果不一定有帮助。浏览器安全模型并没有像 这样设计，只有最近在HTML5中工作，才真正被精确地解决了这些跨浏览器不一致的问题。 / p>

所有的说，我惊讶IE7和IE8为你工作 - 这是我的理解上述政策主要是基于政策IE7实施。

Here is the case:
page A contains iframe B, B contains iframe C, A and B are under the same domain, C under another.
C tries to reset parent B's location with extra information following "#" to solve cross domain communication using Fragment Id Messaging.

IE6/7/8 just works fine with this case, while Firefox blocks parent.location setting with error message [Access to property denied" code: "1010]. But if B is the top window, meaning there is no A, Firefox lives too.

It's strange to me... Could you guys please help?

Thank you!

解决方案

Historically, any window could change the location of any other window. This turned out to be a problem because, among other things, it meant embedding a login iframe in a window was unsafe (because then a malicious site could replace the login iframe with a spoofed version). Over time further restrictions have been applied to location changes to browser windows, until now, when HTML5 and most browsers have reached common agreement on the ancestor policy. In a nutshell, paraphrasing the HTML5 specification, a window A can change the location of another window B iff:

• the locations of A and B have the same origin, which is to say they have the same scheme, host, and port (http, stackoverflow.com, 80 for example), or
• B is a top-level window, and A is a window in a frame nested at some depth within B (direct child, child of a child, etc.), or
• B is a window opened using window.open and A can change the location of the window that opened B (so B is a popup opened by A, by a popup window opened by A, or at greater depth), or
• B isn't a top-level window, but its parent window, or its parent's parent window, or at some similar amount of parentage the locations of that window and A are same-origin

(Same origin is more complicated than this, but the embedded description above catches its essence and covers the most common cases.)

Under this policy, C may change the location of A, and A may change the location of B or C, but C may not change the location of B. If you need to work around this, then you should change your page A's location to something that changes B as appropriate; alternately, you could ask your page B to change its own location.

Hopefully that's informative, if not necessarily helpful. The browser security model wasn't so much designed as evolved, and only with recent work in HTML5 is it really being precisely nailed down to address these cross-browser inconsistencies.

All that said, I'm surprised IE7 and IE8 work for you -- it was my understanding the above policy was primarily based upon the policy IE7 implemented.

这篇关于跨域JavaScript父位置设置firefox错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！