托管在不同域上的 JavaScript 可以读取/修改另一个域的 DOM 吗? [英] Can a JavaScript hosted on different domain read/modify DOM of another domain?
问题描述
我有一个关于托管在域(例如:CDN 的域,例如 example.com)上但从不同域(例如 example.net)下的网站加载的 JavaScript 的潜在安全问题/限制的问题.
I have a question regarding a potential security issue/limitation regarding JavaScript hosted on a domain (ex: domain of a CDN, say example.com), but loaded from a website under a different domain (say, example.net).
现在想象一下,加载的 JavaScript 只会读取/修改具有特定 id 的 div 中的文本,所以没有什么复杂"的.一个例子:我从 http://example.com/myscript.js 加载了脚本,并且在 http://example.net/index.html 上执行:[注意不同的 TLD!]
Now imagine that the JavaScript loaded will just read/modify text in a div with a particular id, so nothing "complicated".
An example: I have the script loaded from http://example.com/myscript.js, and executed on http://example.net/index.html: [note the different TLD!]
<!-- Page example.net/index.html -->
<script src="http://example.com/myscript.js"></script>
我知道我无法从 JavaScript 访问 mysite.com 下的 Cookie,但我可以访问页面上的所有 DOM,以防万一,修改它.这不是一个可能的安全问题吗?这不应该触发同源策略保护吗?
I know that I can't access Cookies under mysite.com from the JavaScript, but I can access all the DOM on the page and in case, modify it. Isn't this a possible security issue? Shouldn't this trigger the same-origin-policy protection?
是否存在阻止托管在不同域上的 JavaScript 访问执行脚本的页面中的元素的用户代理?
Are there user agents that prevents a JavaScript hosted on a different domain to access elements in the page that executes the script?
此外,上面的示例是否也适用于 HTTPS 页面?(例如:https://example.net/index.html 从 https://example.com/myscript.js)
And, moreover, will the example above work also on HTTPS pages? (ex: https://example.net/index.html loads the script from https://example.com/myscript.js)
推荐答案
客户端 JavaScript 中所有基于 URL 的安全限制都基于包含加载的
