为什么“src”属性允许链接到来自外部域的脚本，而XmlHtppRequests不是？ [英] Why is the 'src' attribute allowed to link to scripts from external domains, and XmlHtppRequests not?

问题描述

我已经在StackOverflow上阅读了关于同源策略的几个答案，但是我似乎并不掌握必要的部分。

I have read several answers on StackOverflow regarding same-origin policy, but I don't seem to graps the essential part.

在所有使用 src 属性，例如< script> 和< img>

In all tags that use the src attribute, like <script> and <img>, you are allowed to use external resources (from another domain).

为什么允许使用外部资源，但是使用XMLHttpRequest（例如AJAX调用）不是。我似乎不明白为什么后者更危险。

Why is this allowed, but with a XMLHttpRequest (e.g. AJAX calls) it is not. I do not seem to graps why the latter is more dangerous.

我的意思是，你也可以在外部源中有恶意代码，如：
< script src =http://example.com/malicious_script.js>< / script>

I mean, you could also have malicious code in an external source like: <script src="http://example.com/malicious_script.js"></script>

推荐答案

同源策略旨在保护远程服务器的数据免受未知客户端的攻击，而不是保护客户端免受服务器的恶意代码。 < script> 标签不允许客户端发出GET以外的请求，或获取服务器在有效JavaScript文件中未显式公开的数据。

The same-origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. <script> tags do not allow the client to make requests other than GETs or to obtain data that is not explicitly exposed by the server in a valid JavaScript file.

这篇关于为什么“src”属性允许链接到来自外部域的脚本，而XmlHtppRequests不是？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！