为什么“src”属性允许链接到来自外部域的脚本,而XmlHtppRequests不是? [英] Why is the 'src' attribute allowed to link to scripts from external domains, and XmlHtppRequests not?
问题描述
我已经在StackOverflow上阅读了关于同源策略的几个答案,但是我似乎并不掌握必要的部分。
I have read several answers on StackOverflow regarding same-origin policy, but I don't seem to graps the essential part.
在所有使用 src
属性,例如< script>
和< img>
In all tags that use the src
attribute, like <script>
and <img>
, you are allowed to use external resources (from another domain).
为什么允许使用外部资源,但是使用XMLHttpRequest(例如AJAX调用)不是。我似乎不明白为什么后者更危险。
Why is this allowed, but with a XMLHttpRequest (e.g. AJAX calls) it is not. I do not seem to graps why the latter is more dangerous.
我的意思是,你也可以在外部源中有恶意代码,如:
< script src =http://example.com/malicious_script.js>< / script>
I mean, you could also have malicious code in an external source like:
<script src="http://example.com/malicious_script.js"></script>
推荐答案
同源策略旨在保护远程服务器的数据免受未知客户端的攻击,而不是保护客户端免受服务器的恶意代码。 < script>
标签不允许客户端发出GET以外的请求,或获取服务器在有效JavaScript文件中未显式公开的数据。
The same-origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. <script>
tags do not allow the client to make requests other than GETs or to obtain data that is not explicitly exposed by the server in a valid JavaScript file.
这篇关于为什么“src”属性允许链接到来自外部域的脚本,而XmlHtppRequests不是?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!