不安全的JavaScript尝试访问带有URL的框架(相同的域!) [英] Unsafe JavaScript attempt to access frame with URL (same domain!)
问题描述
在页面file://localhost/Users/pistacchio/dev/epress/catflow/test_html/index.html
中,我尝试使用以下(咖啡脚本)代码访问iframe:
From the page file://localhost/Users/pistacchio/dev/epress/catflow/test_html/index.html
I have the following (coffeescript) code trying to access an iframe:
$('#ipad-viewport iframe').bind 'load', () ->
console.log $(this).contents().find('map')
(这将转换为以下javascript,但我认为问题不在于此):
(This translates to the following javascript, but I don't think the issue relies here):
(function() {
$('#ipad-viewport iframe').bind('load', function() {
return console.log($(this).contents().find('map'));
});
}).call(this);
我等待iframe页面加载完毕,然后尝试访问其正文中的元素.我收到以下错误:
I wait for the iframe page to be loaded and try to access an element within its body. I get the following error:
Unsafe JavaScript attempt to access frame with URL file://localhost/Users/pistacchio/dev/epress/catflow/test_html/catalogo/catalog/intro.html from frame with URL file://localhost/Users/pistacchio/dev/epress/catflow/test_html/index.html. Domains, protocols and ports must match.
现在,由于iframe的定义如下:
Now, since the iframe is defined like this:
<iframe src="file://localhost/Users/pistacchio/dev/epress/catflow/test_html/catalogo/catalog/intro.html" width="1024" height="768"></iframe>
我的页面和iframe都不在同一个域中,还是file://localhost
?我为什么会遇到这个问题?
Aren't both my page and the iframe in the same domain, or file://localhost
? Why am I experiencing this problem?
哦,如果有的话,我正在用Chrome 18进行测试.
Oh, if relevant, I'm testing this with Chrome 18.
推荐答案
file:///
URL受与适用于托管内容的普通same origin policy
略有不同的javascript安全策略.为了阻止已保存的网页能够读取磁盘的全部内容,将不同的文件视为不同的来源.只需启动本地服务器并在其上托管您的内容即可;您将退回到标准"政策,该政策由域/ip定义来源.
file:///
URLs are subject to a slightly different javascript security policy to the normal same origin policy
that applies to hosted content. In order to stop a saved web page from being able to read the entire contents of your disk, different files are seen as different origins. Just fire up a local server and host your content on that; you will fall back to the "standard" policy where origins are defined by domain/ip.
如果由于某种原因您无法运行Web服务器,则可能会
命令行开关:--allow-file-access-from-files
.我相信这会导致将所有file:///
URL定义为属于同一来源的影响.
If for some reason you can't run a web server, you may get some mileage out of the
command line switch: --allow-file-access-from-files
. I believe this has the affect of making all file:///
URLs to be defined as belonging to the same origin.
这篇关于不安全的JavaScript尝试访问带有URL的框架(相同的域!)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!