沙盒，IFrame和允许同源 [英] Sandboxing, IFrame, and allow-same-origin

问题描述

我一直在阅读关于添加到< iframe> 标签的HTML5。其中一个补充是包含沙箱标志，它允许加载到 iframe 中的文档与其父浏览器上下文进行交互。

阅读了一些文档后，我正在寻找一些清晰的内容。我已阅读 MDN 对 allow-same-origin 标记：

允许将内容视为来自其内容正常的起源。如果不使用
这个关键字，嵌入式内容将被视为来自独特来源的
。

我认为，在阅读 W3C的规范：

... [I] t可用于嵌入内容从第三方网站获得
的沙箱，以防止该站点使用数据库API在不阻止嵌入式页面与其
始发站点通信的情况下打开弹出窗口等
以存储数据等。

我的问题具体是关于什么MDN在W3C规范中称为正常起源：当引用正常来源时，MDN指出包含在< iframe> 标签内的文档内容被视为共享页面的来源Ť他的文件起源于，例如YouTube视频相信 - 并且可以像 - 它仍然是YouTube的一部分？或者，< iframe> 文档是否可以访问父浏览器上下文？

解决方案您不能在iFrame和父窗口之间访问文档（来自不同的域）。要在两帧之间进行通信，您需要使用 postMessage 。

使用allow-same-origin可以使用例如iFrame中的cookie。

下面是一个很好的阅读材料，可以更好地理解iFrames的沙箱： http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

I have been reading about the HTML5 additions to the <iframe> tag. One of the additions is the inclusion of sandboxing flags that allow the document loaded into the iframe to interact with its parent browser context.

After reading some of the documentation, I am looking for a bit of clarity. I have read MDN's description of the allow-same-origin flag:

Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

Not hugely, helpful, I think, after having read W3C's specification:

...[I]t can be used to embed content from a third-party site, sandboxed to prevent that site from opening pop-up windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.

My question is specifically about what MDN refers to as the "normal origin" in light of W3C's specification: when refering to the "normal origin" is MDN stating that the content of document contained within the <iframe> tag is treated as if it shares the origin of the page from which the document originates, e.g. a YouTube video believes - and can communicate as if - it is still apart of YouTube? Or, does the <iframe> document have access to the parent browser context?

解决方案

You can't access the document between an iFrame and the Parent window (from different domains). To communicate between frames in you'd need to use postMessage.

Using the allow-same-origin allows you to use, for example, cookies that are in the iFrame.

Here's a good reading to understand better iFrames' sandbox: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

这篇关于沙盒，IFrame和允许同源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！