是一个JavaScript书签,可以设置域cookie打破跨域安全? [英] Is a javascript bookmarklet that can set domain cookies breaking cross-domain security?
问题描述
我正在创建一个要在各种域中使用的书签。我想要设置一些cookie来存储这个书签的临时设置,所以我假设从这个脚本设置一个cookie会将cookie分配给脚本的起源域。
I am creating a bookmarklet that is to be used across a wide range of domains. I wanted to set some cookies to store temporary settings for this bookmarklet, so I assumed that setting a cookie from this script would assign the cookie to the domain of the script's origin.
这不是这样的,小书签能够将cookie分配给正在查看的当前网站的域。这不适合我的需要(这将记住每个域的设置,而不是所有域的书签)。
This was not the case, the bookmarklet is able to assign cookies to the domain of the current site being viewed. This is not suitable for my needs (this would remember settings per domain, rather than for the bookmarklet across all domains).
我的问题是,这是不知何故打破十字架域策略?和后续问题,如何存储cookie的书签,而不是正确的域使用的书签。
My question is, is this somehow breaking the cross domain policy? And a follow up question, how can I store cookies for the bookmarklet rather than the correct domain it is used on.
推荐答案
Bookmarklets正在当前页面的上下文中运行,这是它们运行的安全上下文,因此这不会打破跨域策略。您只能在当前网页的域中设置Cookie。因此,您的书签不能拥有自己的Cookie。
Bookmarklets are running in the context of the current page so that is the security context they run in and thus this doesn't break cross domain policy. You can only set cookies on the current page's domain. Because of this your bookmarklet can't have it's own cookies.
这与从不同网域加载到指定网页的脚本相同。页面的起源是重要的,而不是脚本的起源。
This is the same as scripts that are loaded into a given page from a variety of domains. The origin of the page is what matters, not the origin of the script.
我知道的唯一方法是为所有域中的脚本保存设置一次使用跨域JSONP并将设置存储在您的服务器上,但您仍然可能无法识别唯一身份用户。
The only way I know of for you to save settings once for your script across all domains would be to use cross domain JSONP and store the settings on your server, but you still may have difficulty identifying a unique user.
这听起来像您想要做的将更适合于具有插件的本地存储的浏览器插件。
It sounds like what you're trying to do would be much more suited to a browser plug-in which has local storage for the plug-in.
这篇关于是一个JavaScript书签,可以设置域cookie打破跨域安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
