JavaScript - 跨站点脚本 - 权限被拒绝 [英] JavaScript - Cross Site Scripting - Permission Denied
问题描述
我有一个网络应用程序,我正在尝试使用 Twitter 的 OAuth 功能.此应用程序有一个链接,提示用户输入其 Twitter 凭据.当用户单击此链接时,将通过 JavaScript 打开一个新窗口.该窗口用作对话框.这是这样完成的:
主页:
<div id="promptDiv"><a href="#" onclick="launchDialog('twitter/prompt.aspx');">提供凭据</a></div>...
function launchDialog(url) {var specs = "location=0,menubar=0,status=0,titlebar=0,toolbar=0";var dialogWindow = window.open(url, "dialog", specs, true);}当用户单击链接时,他们会从 prompt.aspx 页面重定向到 Twitter 的站点.在 Twitter 站点上,用户可以选择输入他们的 Twitter 凭据.当他们提供凭据后,他们将被重定向回我的站点.这是通过回调 url 完成的,该 url 可以为 Twitter 站点上的应用程序设置.
当回调发生时,用户被重定向到/twitter/confirm.aspx"在我网站的对话窗口中.发生这种情况时,我想更新promptDiv"的内容以说您已成功连接 Twitter"以替换链接并关闭对话框.这用于通知用户他们已成功完成此步骤.我可以成功关闭对话窗口.但是,当我尝试更新 HTML DOM 时,我收到一条错误消息,显示错误:获取属性 Window.document 的权限被拒绝".为了更新 HTML DOM,我尝试在/twitter/confirm.aspx"中使用以下脚本:
//第一行抛出错误.var confirmDiv = window.opener.document.getElementById("confirmDiv");if (confirmDiv != null){//更新内容}window.close();然后我只是尝试读取 HTML 以查看是否可以通过以下脚本访问 DOM:
alert(window.opener.document.body.innerHTML);当我尝试此操作时,我仍然收到权限被拒绝"错误.我知道这与跨站点脚本有关.但是,我不知道如何解决它.我该如何解决这个问题?我是否错误地构建了我的应用程序?用户被重定向回我的网站后,如何更新 HTML DOM?
感谢您的帮助!
当弹出窗口打开 Twitter 身份验证页面时,您将失去与 winodw 通信的原始能力,因为它的文档域已更改并且 window.opener 已更改重置.
为了解决 SitePen 的 NetFlix Queued 的问题,我使用了一个计时器并轮询弹出窗口以了解其位置的更改(您可以继续访问).如果它转到错误页面或成功页面,我知道并可以关闭弹出窗口(您可以控制窗口,但不能控制 DOM)并更改主页面中的内容以反映授权状态.
我们还检查了窗口关闭 - 在用户未授权和关闭弹出窗口的情况下.
我们无法使用回调,因为这是在 Adobe AIR 中完成的,并且没有可以回调"的服务器,这造成了额外的障碍.
I have a web application for which I am trying to use Twitter's OAuth functionality. This application has a link that prompts a user for their Twitter credentials. When a user clicks this link, a new window is opened via JavaScript. This window serves as a dialog. This is accomplished like such:
MainPage:
<div id="promptDiv"><a href="#" onclick="launchDialog('twitter/prompt.aspx');">Provide Credentials</a></div>
...
function launchDialog(url) {
var specs = "location=0,menubar=0,status=0,titlebar=0,toolbar=0";
var dialogWindow = window.open(url, "dialog", specs, true);
}
When a user clicks the link, they are redirected to Twitter's site from the prompt.aspx page. On the Twitter site, the user has the option to enter their Twitter credentials. When they have provided their credentials, they are redirected back to my site. This is accomplished through a callback url which can be set for applications on Twitter's site.
When the callback happens, the user is redirected to "/twitter/confirm.aspx" on my site in the dialog window. When this happens I want to update the contents of "promptDiv" to say "You have successfully connected with Twitter" to replace the link and close the dialog. This serves the purpose of notifying the user they have successfully completed this step. I can successfully close the dialog window. However, when I am try to update the HTML DOM, I receive an error that says "Error: Permission denied to get property Window.document". In an attempt to update the HTML DOM, I tried using the following script in "/twitter/confirm.aspx":
// Error is thrown on the first line.
var confirmDiv = window.opener.document.getElementById("confirmDiv");
if (confirmDiv != null)
{
// Update the contents
}
window.close();
I then just tried to read the HTML to see if I could even access the DOM via the following script:
alert(window.opener.document.body.innerHTML);
When I attempted this, I still got a "Permission denied" error. I know this has something to do with cross-site scripting. However, I do not know how to resolve it. How do I fix this problem? Am I structuring my application incorrectly? How do I update the HTML DOM after a user has been redirected back to my site?
Thank you for your help!
When the popup opens the Twitter auth page, you are losing your original ability to communicate with the winodw because its document domain has changed and the window.opener has been reset.
To get around this for SitePen's NetFlix Queued, I used a timer and polled the popup window for changes to its location (which you can continue to access). If it went to an error page or a success page, I knew that and could close the popup (you have control of the window, but not the DOM) and change the content in the main page to reflect the status of authorization.
We also checked for the window closing – in the case of the user not authorizing and closing the popup.
We couldn't make use of the callback because this was done in Adobe AIR, and there was no server to "call back to", which created an extra hurdle.
这篇关于JavaScript - 跨站点脚本 - 权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
