同源策略如何解决 XHR、cookies 和跨页面通信的问题? [英] How does same origin policy solve issues with XHR, cookies and cross page commuication?
问题描述
我了解同源策略是关于限制来自其他域的 javascript 访问页面内容.
I understand that same origin policy is about restricting javascript from other domains from accessing contents of a page.
我在网上阅读了这些关于同源政策的特别重要点:
I read these particular points of importance of same origin policy on the Web:
XmlHttpRequests:如果跨域完成,它们将不起作用.但是,为什么网页首先会向不太受信任的站点发出 xhr 请求呢?不是网页的错吗?那么为什么要施加限制?
XmlHttpRequests: they don't work if done cross domain. But why would a Web page make an xhr request to a less trusted site in the first place? Isn't it the Web page's fault? Why impose a restriction then?
cookies:如果恶意页面可以查看我的 Facebook cookie,这是不对的.因此,如果它尝试检查document.cookies",无论如何它都不会看到我的 Facebook cookie.同样的政策在这里出现在哪里?
cookies: it is not right if a malicious page can view my Facebook cookies. So if it tries to check "document.cookies" it will never see my Facebook cookies anyway. Where does same policy come into the picture here?
跨页面通信:在选项卡中打开的恶意页面可以查看有关另一个页面的信息的唯一方法是通过 cookie 和/或本地存储.那么,同源策略在这里有什么帮助?
cross page communication: the only way a malicious page opened in a tab can view information about another page is via cookies and or local storage. So where does same origin policy help here?
推荐答案
XmlHttpRequests
XmlHttpRequests
例如:停止您的网站使用我的浏览器从我的银行网站获取我的数据,当我的浏览器已登录到我的银行.
For example: To stop your site using my browser to get my data from my bank's website when my browser is logged into my bank.
饼干
同源政策不适用于 cookie.Cookie 只是发送到它们注册的站点.
The same origin policy doesn't apply to cookies. Cookies are simply sent to the site for which they are registered.
跨页面通信:在选项卡中打开的恶意页面可以查看有关另一个页面的信息的唯一方法是通过 cookie 和/或本地存储.那么,同源政策在这里有什么帮助?
cross page communication: the only way a malicious page opened in a tab can view information about another page is via cookies and or local storage. So where does same origin policy help here?
您的操作存在误解.也可以通过 window.open 和框架(包括 iframe)访问其他页面.
You're operating under a misconception. Access to other pages is also available through window.open and frames (including iframes).
一旦您可以访问另一个页面的 DOM,您就可以从中获取数据,并且您会遇到与 XHR 将其他网站暴露给 JavaScript 时一样的问题.因此同源策略通过框架锁定对远程文档的访问.
Once you have access to the DOM of another page, you can get data from it and you have the same issues that you would if XHR exposed other websites to JavaScript. Thus the same origin policy locks access to remote documents through frames.
这篇关于同源策略如何解决 XHR、cookies 和跨页面通信的问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
