反跨域政策的要点是什么？ [英] What's the point of the Anti-Cross-Domain policy?

问题描述

为什么HTML DOM和/或Javascript的创建者决定不允许跨域请求？

Why did the creators of the HTML DOM and/or Javascript decide to disallow cross-domain requests?

我可以看到一些非常小的安全性好处，在长期看来似乎是一个尝试使Javascript注入攻击具有较少的权力。这就是JSONP的所有问题，它只是意味着JavaScript代码是一个微小一点更难做，你必须有服务器端合作（虽然它可以是你自己的服务器）

I can see some very small security benefits of disallowing it but in the long run it seems to be an attempt at making Javascript injection attacks have less power. That is all moot anyway with JSONP, it just means that the javascript code is a tiny bit more difficult to make and you have to have server-side cooperation(though it could be your own server)

推荐答案

实际的跨域问题是巨大的。假设SuperBank.com内部向 http://www.superbank.com/transfer?amount=100&to=123456 发送请求，将$ 10,000转帐到帐号123456.如果我可以让你到我的网站，你是在超级银行登录，我要做的是发送一个AJAX请求到SuperBank.com移动成千上万美元从您的帐户到我的。

The actual cross-domain issue is huge. Suppose SuperBank.com internally sends a request to http://www.superbank.com/transfer?amount=100&to=123456 to transfer $10,000 to account number 123456. If I can get you to my website, and you are logged in at SuperBank, all I have to do is send an AJAX request to SuperBank.com to move thousands of dollars from your account to mine.

JSON-P是可以接受的原因是它是不可能的，它被滥用。使用JSON-P的网站几乎宣称数据是公共信息，因为这种格式太不方便以至于不能使用。但如果数据是否为公开信息尚不清楚，浏览器必须假设不是。

The reason JSON-P is acceptable is that it is pretty darn impossible for it to be abused. A website using JSON-P is pretty much declaring the data to be public information, since that format is too inconvenient to ever be used otherwise. But if it's unclear as to whether or not data is public information, the browser must assume that it is not.

这篇关于反跨域政策的要点是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！