托管在不同域上的 JavaScript 可以读取/修改另一个域的 DOM 吗? [英] Can a JavaScript hosted on different domain read/modify DOM of another domain?
问题描述
我有一个关于托管在域(例如:CDN 的域,例如 example.com)上但从不同域(例如 example.net)下的网站加载的 JavaScript 的潜在安全问题/限制的问题.
I have a question regarding a potential security issue/limitation regarding JavaScript hosted on a domain (ex: domain of a CDN, say example.com), but loaded from a website under a different domain (say, example.net).
现在想象一下,加载的 JavaScript 只会读取/修改具有特定 id 的 div
中的文本,所以没有什么复杂"的.一个例子:我从 http://example.com/myscript.js 加载了脚本,并且在 http://example.net/index.html 上执行:[注意不同的 TLD!]
Now imagine that the JavaScript loaded will just read/modify text in a div
with a particular id, so nothing "complicated".
An example: I have the script loaded from http://example.com/myscript.js, and executed on http://example.net/index.html: [note the different TLD!]
<!-- Page example.net/index.html -->
<script src="http://example.com/myscript.js"></script>
我知道我无法从 JavaScript 访问 mysite.com 下的 Cookie,但我可以访问页面上的所有 DOM,以防万一,修改它.这不是一个可能的安全问题吗?这不应该触发同源策略保护吗?
I know that I can't access Cookies under mysite.com from the JavaScript, but I can access all the DOM on the page and in case, modify it. Isn't this a possible security issue? Shouldn't this trigger the same-origin-policy protection?
是否存在阻止托管在不同域上的 JavaScript 访问执行脚本的页面中的元素的用户代理?
Are there user agents that prevents a JavaScript hosted on a different domain to access elements in the page that executes the script?
此外,上面的示例是否也适用于 HTTPS 页面?(例如:https://example.net/index.html 从 https://example.com/myscript.js)
And, moreover, will the example above work also on HTTPS pages? (ex: https://example.net/index.html loads the script from https://example.com/myscript.js)
推荐答案
客户端 JavaScript 中所有基于 URL 的安全限制都基于包含加载的 元素的网页的 URLJS.
All URL based security restrictions in client side JavaScript are based on the URL of the webpage containing the <script>
element which loads the JS.
JS 本身所在的 URL 无关紧要.
The URL the JS itself is hosted at is irrelevant.
现在,我知道我无法从 JS 访问 mysite.com 下的 Cookie.
Now, I know that I can't access Cookies under mysite.com from the JS.
脚本被加载到 example.net
并托管在 example.com
上.它可以从 example.net
读取 cookie.它无法从 example.com
读取 cookie.(example.com
上的服务器端代码可以动态生成 JavaScript 并嵌入从 cookie 中取出的数据).
The script is loaded into example.net
and hosted on example.com
. It can read cookies from example.net
. It cannot read cookies from example.com
. (Server side code on example.com
could dynamically generate the JavaScript and embed data taken out of cookies though).
但是,我可以访问页面上的所有 DOM,并且可以修改它.
But, I can access all the DOM on the page, and, in case, modify it.
是的
这难道不是一个可能的安全问题吗?这不应该触发同源策略保护吗?
Isn't this a possible security issue? Shouldn't this trigger the same-origin-policy protection?
这是一个潜在的安全问题,但不应触发同源策略.
It is a potential security issue, but it should not trigger the Same Origin Policy.
通过加载脚本,页面作者信任托管脚本的站点.
By loading the script, the author of the page is trusting the site hosting the script.
不要从您不信任的网站嵌入 JS.
Do not embed JS from sites you do not trust.
此外,上面的示例是否也适用于 HTTPS 页面?(例如:https://example.net/index.html
从 https://example.com/myscript.js
加载脚本)
And, moreover, will the example above work also on HTTPS pages? (ex:
https://example.net/index.html
loads the script fromhttps://example.com/myscript.js
)
具有不同方案的 URL 具有不同的来源,就像具有不同主机名的 URL.同源策略规则相同,因为它们基于起源而不是起源的特定特征.
URLs with different schemes have different origins, just as URLs with different hostnames. The Same Origin Policy rules are the same as they are based on origin not particular features of origins.
有时您会得到额外的限制,禁止通过 HTTPS 加载的页面访问通过 HTTP 加载的内容,因为这会破坏 SSL 安全性.这是一个不同的安全限制,与同源策略无关.
Sometimes you will get additional restrictions where a page loaded over HTTPS will be forbidden from accessing content loaded over HTTP since that breaks the SSL security. This is a different security restriction that is unrelated to the Same Origin Policy.
这篇关于托管在不同域上的 JavaScript 可以读取/修改另一个域的 DOM 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!