CDN或外部JavaScript文件如何在网站中运行? [英] How Come a CDN or External JavaScript File works in a Web Site?
问题描述
首先,我很尴尬,我不知道这一点。我知道这些事情有效,但不知道为什么。我仍然无法获得有关CDN和Google Analytics或Adsense等内容的信息。
First off, I'm embarassed that I don't know this. I know these things work, but just not sure why. There is something I still don't get about CDNs and stuff like Google Analytics or Adsense.
如果这些脚本来自您网站域以外的域名,这是怎么回事?所有这些都与同源政策(SOP)和跨站点脚本(XSS)?根据我对XSS和SOP的理解,这些脚本不应该能够在您的站点中运行或与DOM交互。为什么他们获得特权?这些特殊权限与其他由于XSS和SOP导致浏览器错误的外部脚本有何区别?
If these scripts are coming from a domain other than your site's domain how does this all tie in with same origin policy (SOP) and cross-site scripting (XSS)? From what I understand about XSS and SOP, these scripts just shouldn't be able to run or interact with the DOM in your site. How come they are given special privileges? And how are these special privileges differentiated from other external scripts that cause errors in browsers due to XSS and SOP?
简而言之,我想知道为什么来自其他域的脚本允许我的网站运行,互动和操纵?
In a nutshell, I want to know why scripts from another domain are allowed to run, interact with and manipulate my site?
推荐答案
你误解了这些政策。
SOP阻止页面(例如在框架中)与来自不同域的页面交互,或者从不同域中读取资源(AJAX请求) 。
SOP prevents a page (such as in a frame) from interacting with a page from a different domain, or from reading a resource (AJAX request) in a different domain.
只要您明确加载,您的页面中不同域执行的脚本就没有问题。 (这就是JSONP的工作方式)但是,您无法读取脚本的来源,因为这是来自不同域的资源。
There is nothing wrong with a script from a different domain executing in your page, as long as you explicitly load it. (that's how JSONP works) However, you can't read the script's source, since that's a resource from a different domain.
浏览器安全限制基于来源执行代码的页面,而不是特定< script> 来自的网站。
Browser security restrictions are based on the source of the page executing the code, not the site that a particular <script> came from.
请注意,包含来自其他域的Javascript会授予该脚本对您网页的完全访问权限;它可以向您的域发送AJAX请求并通过向其他域发送非AJAX请求来窃取信息。
Note that including Javascript from a different domain grants that script full access to your page; it can send AJAX requests (to your domain) and steal information by sending non-AJAX requests to other domains.
如果您信任,则只包含来自其他域的脚本域名。
Only include a script from a different domain if you trust that domain.
这篇关于CDN或外部JavaScript文件如何在网站中运行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
