外部js文件中的相同来源策略 [英] same origin policy in external js file
问题描述
如果在网站 http://www.mysite.com
中,有一个外部js文件被添加为
if in the website http://www.mysite.com
there's an external js file added as
<script src="http://www.yoursite.com/new.js"></script>
在 http://www.yoursite.com/new.js
js文件中,在 http://www.yoursite.com/new中有一个脚本的ajax调用.js
在这种情况下,是否会因为从另一个网站调用某个网站中的脚本而产生同源策略安全问题?
in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?
推荐答案
会出现问题. new.js
在 mysite.com
的范围内运行,而不是在 yoursite.com
的范围内.
There will be a problem. new.js
run in the scope of mysite.com
, not yoursite.com
.
更详细的解释是:当mysite.com打开标签时,该脚本在当前页面的范围内运行.脚本的来源无关紧要:它可以是内联,本地或远程,仍被视为mysite的一部分.
a more detailed explanation would be: when mysite.com is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.
如您所知,由于相同的原始策略,mysite.com中的脚本无法访问yoursite.com上的任何内容.所以你不能这样做.
As you know, scripts in mysite.com cannot access anything on yoursite.com due to the same origin policy. So you cannot do this.
As an advanced option for cross-origin communication look at jsonp. It will require yoursite.com to provide a special handling, but if you have control on both sites then this should not be a problem.
这篇关于外部js文件中的相同来源策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!