为什么新的Facebook Javascript SDK不违反“相同来源政策"? [英] Why does new Facebook Javascript SDK not violate the "same origin policy"?

问题描述

新的Facebook Javascript SDK可以让任何网站以Facebook用户身份登录并获取用户的数据...

The new Facebook Javascript SDK can let any website login as a Facebook user and fetch data of a user...

www.example.com会包含来自Facebook的一些Javascript，但我记得，该脚本被认为是www.example.com的起源，并且无法从facebook.com获取数据，因为它违反了原产地政策".那不正确吗?如果是这样，脚本如何获取数据?

So it will be, www.example.com including some Javascript from Facebook, but as I recall, that script is considered to be of the origin of www.example.com and cannot fetch data from facebook.com, because it is a violation of the "same origin policy". Isn't that correct? If so, how does the script fetch data?

推荐答案

从此处: https://developer .mozilla.org/en/Same_origin_policy_for_JavaScript

相同的原产地政策可以防止 从一个文件或脚本加载 源于获取或设置 来自另一个文档的属性 起源.这项政策一路走来 回到Netscape Navigator 2.0.

The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.

，此处的解释略有不同: http://docs.sun. com/source/816-6409-10/sec.htm

and explained slightly differently here: http://docs.sun.com/source/816-6409-10/sec.htm

相同的原产地政策与 如下:当从中加载文档时 一个起源，一个从一个脚本加载的脚本 无法获取或设置其他来源 特定的特定属性 窗口中的浏览器和HTML对象 或框架(请参见表14.2).

The same origin policy works as follows: when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame (see Table 14.2).

Facebook脚本未尝试与您域中的脚本进行交互或读取DOM对象.它只会在Facebook上发布自己的帖子.它获取您的站点名称的原因不是通过与页面或站点中的脚本进行交互，而是通过您填写表单以获取喜欢"按钮时生成的脚本本身.我注册了一个名为" http://www.bogussite.com 的网站，并获得了要放入我的网站上的代码.这段代码中的第一个想法是

The Facebook script is not attempting to interact with script from your domain or reading DOM objects. It's just going to do its own post to Facebook. It gets yous site name, not by interacting with your page, or script from your site, but because the script itself that is generated when you fill out the form to get the "like" button. I registered a site named "http://www.bogussite.com" and got the code to put on my website. The first think in this code was

iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.bogussite.com&

因此该脚本显然可以通过iFrame链接中的硬编码URL参数来获取您的网站信息.

so the script is clearly getting your site info by hard-coded URL parameters in the link to the iFrame.

到目前为止，并不是只有Facebook网站可以使用托管在其服务器上的脚本.还有许多其他脚本可以通过这种方式工作.例如，所有Google API(包括Google Gears，Google Analytics等)都要求您使用托管在其服务器上的脚本.就在上周，当我试图弄清楚如何为适合移动设备的Web应用程序的商店查找程序进行地理位置定位时，我发现了一大堆地理位置定位服务，可以让您使用托管在其服务器上的脚本，而不是复制脚本到您的服务器.

Facebook's website is by far not alone in having you use scripts hosted on their servers. There are plenty of other scripts that work this way.. All of the Google APIs, for example, including Google Gears, Google Analytics, etc require you to use a script hosted on their server. Just last week, while I was trying to figure out how to do geolocation for our store finder for a mobile-friendly web app, I found a whole slew of geolocation services that had you use scripts hosted on their servers, rather than copying the script to your server.

这篇关于为什么新的Facebook Javascript SDK不违反“相同来源政策"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！