HTML5 push / replaceState和< base>标签导致安全异常 [英] HTML5 push/replaceState and the <base> tag causes security exception
问题描述
我有一个位于普通网站子域的网站测试版,例如:
http://test.x。 com代替 http://x.com 。
I have a test version of a site located at a subdomain of the normal site, like: http://test.x.com instead of http://x.com.
我使用< base> 标记,用于将所有资源请求转换回原始域:
I use the <base> tag to translate all resource requests back to the original domain:
<base href="http://x.com/" />
在我实施HTML5 push / replaceState支持之前,这种策略很有效。
This tactic worked great until I implemented HTML5 push/replaceState support.
现在,如果我在控制台中执行此语句:
Now, if I execute this statement in the console:
history.pushState({}, "", "");
...然后我得到 DOMException 基于WebKit的浏览器中的对象:
... then I get a DOMException object in WebKit-based browsers:
code: 18
constructor: DOMExceptionConstructor
line: 2
message: "SECURITY_ERR: DOM Exception 18"
name: "SECURITY_ERR"
sourceId: 4839191928
__proto__: DOMExceptionPrototype
...并且FireFox 4中出现此错误:
... and this error in FireFox 4:
Security error" code: "1000
如果我删除< base> 标记并执行相同的语句,推送新状态,并且没有例外。
If I remove the <base> tag and execute the same statement, the new state is pushed, and there's no exception.
一些问题:1)此行为是否存在安全风险,还是一个bug? 2)是否有一种解决方法可以防止异常,或者使用< base> 标签以外的策略来完全回避这个问题?
A few questions: 1) is this behavior a security risk, or is it a bug? And 2) is there a workaround to prevent the exception, or a tactic other than using the <base> tag that will sidestep the issue completely?
感谢您的考虑。
推荐答案
这不是一个错误,你违反了< a href =http://en.wikipedia.org/wiki/Same_origin_policy>同源政策。 是一个相对网址,自用户使用后将解析为'http://x.com/' < base> 标记。 http://x.com 与托管页面的域名不同,这就是为什么这样做会违反相同的原始政策。
It is not a bug, you are violating the Same origin policy. "" is a relative URL which will be resolved to 'http://x.com/' since you used the <base> tag. http://x.com is a different domain from where the page is hosted which is why doing this runs afoul of the same origin policy.
使用指向 http://test.x.com/上的资源的绝对URL你的 history.pushState()调用中的应解决此问题:
Using an absolute URL that points to a resource on http://test.x.com/ in your history.pushState() call should fix this:
history.pushState({}, "", "http://test.x.com/");
这篇关于HTML5 push / replaceState和< base>标签导致安全异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
