如何规避同源政策 [英] Ways to circumvent the same-origin policy
问题描述
我想制作一个关于HTML / JS 同源政策的社区维基,希望能帮助任何搜索的人这个话题。这是SO上搜索次数最多的主题之一,并且没有统一的wiki,所以我在这里:)
I wanted to make a community wiki regarding HTML/JS same-origin policies to hopefully help anyone searching for this topic. This is one of the most searched-for topics on SO and there is no consolidated wiki for it so here I go :)
相同原始政策阻止从一个
来源加载的
文档或脚本从另一个
来源获取或设置文档的
属性。这个政策可以追溯到
回Netscape Navigator 2.0。
The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.
您最喜欢的方式是什么? -origin政策?
请保持示例详细,最好还链接您的来源。
What are some of your favorite ways to go around same-origin policies?
Please keep examples verbose and preferably also link your sources.
推荐答案
document.domain 方法
- 方法类型: iframe 。
- Method type: iframe.
The document.domain method
请注意,这是一个iframe方法,用于将document.domain的值设置为后缀当前域名。如果它这样做,则较短的域用于后续的原始检查。例如,假设文档中的脚本 http://store.company.com/dir/other.html 执行以下语句:
Note that this is an iframe method that sets the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes the following statement:
document.domain = "company.com";
执行该语句后,页面将通过 http来传递原点检查: //company.com/dir/page.html 。但是,出于同样的原因,company.com无法将 document.domain 设置为 othercompany.com 。
After that statement executes, the page would pass the origin check with http://company.com/dir/page.html. However, by the same reasoning, company.com could not set document.domain to othercompany.com.
使用此方法,您将被允许从源自主域上的页面上的子域的iframe中提取javascript。此方法不适用于跨域资源,因为Firefox等浏览器不允许您将 document.domain 更改为完全外来域。
With this method, you would be allowed to exectue javascript from an iframe sourced on a subdomain on a page sourced on the main domain. This method is not suited for cross-domain resources as browsers like Firefox will not allow you to change the document.domain to a completely alien domain.
来源: https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript
- 方法类型: AJAX 。
- Method type: AJAX.
跨域资源共享(CORS)是一个W3C工作草案,定义了浏览器和服务器在访问源的源时必须如何通信。 CORS背后的基本思想是使用自定义HTTP标头,允许浏览器和服务器充分了解彼此,以确定请求或响应是成功还是失败。
Cross-Origin Resource Sharing (CORS) is a W3C Working Draft that defines how the browser and server must communicate when accessing sources across origins. The basic idea behind CORS is to use custom HTTP headers to allow both the browser and the server to know enough about each other to determine if the request or response should succeed or fail.
对于一个简单的请求,使用 GET 或 POST 而没有自定义标题且其正文为<$的请求c $ c> text / plain ,请求与一个名为 Origin 的额外标头一起发送。 Origin标头包含请求页面的来源(协议,域名和端口),以便服务器可以轻松确定它是否应该提供响应。示例 Origin 标题可能如下所示:
For a simple request, one that uses either GET or POST with no custom headers and whose body is text/plain, the request is sent with an extra header called Origin. The Origin header contains the origin (protocol, domain name, and port) of the requesting page so that the server can easily determine whether or not it should serve a response. An example Origin header might look like this:
Origin: http://www.stackoverflow.com
如果服务器决定应该允许请求,它会发送一个 Access-Control-Allow-Origin 标头回显发送的相同来源或 * 如果它是公共资源。例如:
If the server decides that the request should be allowed, it sends a Access-Control-Allow-Origin header echoing back the same origin that was sent or * if it’s a public resource. For example:
Access-Control-Allow-Origin: http://www.stackoverflow.com
如果此标头丢失或原点不匹配,则浏览器不允许该请求。如果一切顺利,则浏览器处理请求。请注意,请求和响应都不包含cookie信息。
If this header is missing, or the origins don’t match, then the browser disallows the request. If all is well, then the browser processes the request. Note that neither the requests nor responses include cookie information.
Mozilla团队建议他们关于CORS的帖子你应该检查是否存在 withCredentials 属性确定浏览器是否通过XHR支持CORS。然后,您可以结合 XDomainRequest 对象的存在来覆盖所有浏览器:
The Mozilla team suggests in their post about CORS that you should check for the existence of the withCredentials property to determine if the browser supports CORS via XHR. You can then couple with the existence of the XDomainRequest object to cover all browsers:
function createCORSRequest(method, url){
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr){
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined"){
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
xhr = null;
}
return xhr;
}
var request = createCORSRequest("get", "http://www.stackoverflow.com/");
if (request){
request.onload = function() {
// ...
};
request.onreadystatechange = handler;
request.send();
}
请注意,要使CORS方法有效,您需要访问任何服务器标头机制的类型,不能简单地访问任何第三方资源。
Note that for the CORS method to work, you need to have access to any type of server header mechanic and can't simply access any third-party resource.
来源: http://www.nczonline.net/blog/2010/05/25/cross -domain-ajax-with-cross-origin-resource-sharing /
- 方法类型: iframe 。
- Method type: iframe.
window.postMessage ,当被调用时,会导致 MessageEvent 被分派到当必须执行的任何挂起脚本完成时的目标窗口(例如,如果从事件处理程序调用 window.postMessage ,之前设置的挂起超时等,则保留事件处理程序)。 MessageEvent 具有类型消息, data 属性,该属性设置为提供给<的第一个参数的字符串值code> window.postMessage ,一个 origin 属性,对应于调用的窗口中主文档的来源window.postMessage 当时调用了 window.postMessage ,还有一个 source 属性是调用 window.postMessage 的窗口。
window.postMessage, when called, causes a MessageEvent to be dispatched at the target window when any pending script that must be executed completes (e.g. remaining event handlers if window.postMessage is called from an event handler, previously-set pending timeouts, etc.). The MessageEvent has the type message, a data property which is set to the string value of the first argument provided to window.postMessage, an origin property corresponding to the origin of the main document in the window calling window.postMessage at the time window.postMessage was called, and a source property which is the window from which window.postMessage is called.
使用 window.postMessage ,必须附加一个事件监听器:
To use window.postMessage, an event listener must be attached:
// Internet Explorer
window.attachEvent('onmessage',receiveMessage);
// Opera/Mozilla/Webkit
window.addEventListener("message", receiveMessage, false);
必须声明 receiveMessage 函数:
function receiveMessage(event)
{
// do something with event.data;
}
场外iframe还必须通过
The off-site iframe must also send events properly via postMessage:
<script>window.parent.postMessage('foo','*')</script>
任何窗口都可以随时在任何其他窗口上访问此方法,无论其位置如何窗口中的文档,向其发送消息。因此,用于接收消息的任何事件侦听器必须首先使用origin和可能的source属性检查消息发送者的身份。这不容低估:未能检查 origin 以及可能 source 属性可启用跨站点脚本攻击。
Any window may access this method on any other window, at any time, regardless of the location of the document in the window, to send it a message. Consequently, any event listener used to receive messages must first check the identity of the sender of the message, using the origin and possibly source properties. This cannot be understated: Failure to check the origin and possibly source properties enables cross-site scripting attacks.
来源: https://developer.mozilla.org/en/DOM/window.postMessage
这篇关于如何规避同源政策的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
