浏览器限制跨域Ajax请求 [英] browser restrict cross domain ajax request
问题描述
为什么浏览器不允许跨域的 AJAX 请求? 凡作为一个JavaScript / CSS文件可以从其他领域进行检索! 我知道有很多方法可以解决这个问题,但我想知道什么是该做的浏览器不允许跨域Ajax调用的因素。 更具体地讲:如果有任何JavaScript文件或CSS可以通过脚本或链接HTML标记来访问它为什么不通过Ajax调用访问?为什么跨域链接/ script标签是允许的,而不是阿贾克斯?
Why do browser doesn't allow cross-domain AJAX request? Where as a javascript/css file can be retrieved from other domains!!! I know there are ways to solve this, but I want to know what are the factors which made the browsers doesn't allow cross-domain ajax call. More specifically: If any javascript file or css which can be accessed via script or link html tag why it is not accessible via ajax call? Why cross-domain link/script tag is allowed and not ajax?
推荐答案
这是对用户的安全性:
假设你登录到Facebook和访问恶意网站在另一个浏览器选项卡。如果没有同源策略在该网站上的JavaScript可以做任何事情,你被允许做你的Facebook帐户。例如读取私人信息,发布状态更新,在您提交表单中输入您的密码分析HTML DOM树。
Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form.
从<一个href="http://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important">here
更新:
1,当你的目标使用的文件剧本
或链接
或 IMG
标签,你是从服务器下载该文件,那么它的操作仅限于您的域上下文(访问DOM,操纵你的DOM ...)。
1- when you target a file using script
or link
or img
tag , you are downloading the file from its server and then its operation is limited to your domain context(access your DOM, manipulate your DOM ...).
2 - 但是当你想要做一个AJAX调用到另一个网站,你可能有能力做出改变该网站。因此,为了避免这种风险,浏览器会检查你的要求与本网站和获得它的响应。如果是没有
,那么浏览器的拒绝您的要求,如果是是
则通过
您的请求server.in另一方面它的目标网站,允许或拒绝跨域请求。
2- but when you want to do a ajax call to another website, you potentially have ability to make changes to that website. So to avoid this risk, browser checks your request with the website and gets its response. if it's no
, then browser rejects your request and if it's yes
then it passes
your request to the server.in other hand it's the target website that allows or rejects Cross-Origin Requests.
3这不仅仅是关于阿贾克斯
也的WebSocket
甚至闪存
。
3- it's not just about Ajax
but also webSocket
or even Flash
.
这篇关于浏览器限制跨域Ajax请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!