为什么孩子可以重定向父框架? [英] Why can a child redirect a parent frame?
问题描述
我看看这两个问题,我不明白。
I have a look at these two questions and i don't understand.
一方面看来你可以重定向父iframe而另一方面你不能重定向?
当我尝试它时,我没有问题重定向父框架所以我很好奇为什么每个人都说你不能重定向父框架,除非你在同一个域。但是我可以在没有相同域的框架的情况下重定向。
On one hand it appears that you can redirect the parent iframe and on the other you cannot? When i try it, I have no problem redirecting the parent frame so i'm curious as in why everyone say you cannot redirect parent frame unless you are on the same domain. But I can redirect without having the frame on the same domain.
如前所述,将重定向父iframe。要记住的一件事是网站和iframe中包含的网站都需要在同一个域上才能工作,否则您将获得拒绝访问权限。
As stated previously, will redirect the parent iframe. One thing to bear in mind is that both the website, and the site contained in the iframe need to be on the same domain for this to work, or you'll get an access denied exception.
与浏览器有关吗?
编辑
我有两个页面,这有效,但不应该:
I have two pages and this works but shouldn't :
在域1上
<html>
<body>
<iframe src="http://domain2.fr"></iframe>
</body>
</html>
在域名2上
<html>
<body>
<script type="text/javascript">
window.top.location.href = "http://google.fr";
</script>
</body>
</html>
推荐答案
为什么的答案它很可能非常简单。 window.location 是 Web API 的一部分,它与JavaScript核心不完全相同。它是 DOM界面的一部分,因此它被W3C,而不是ECMA所包围。这就是为什么它允许你操纵顶窗的属性。
The answer to Why it is possible is perfectly simple. window.location is part of the Web API, which is not exactly the same as the JavaScript core. It's part of the DOM interface, hence it's gouverned by W3C, not ECMA. That's why it allows you to manipulate the top-window's properties.
严格来说,JS无法做到这一点,因为它缺乏IO功能,这使得语言成为可能非常便携。这就是为什么浏览器实现需要DOM API,查询DOM,请求重新绘制或与客户端交互的原因。但是,DOM 需要IO,因为它呈现并从实际的UI读取。由于XSS漏洞的原因,ECMAScript委员会中的某些人宁愿看到对 window.top 的访问受到严重限制,如果没有全部删除的话。可悲的是,W3C同意不同意,并且实施了 window.top 参考。
在这种情况下谁的对错?我不知道,在iFrame中将客户端重定向到恶意网站很容易,这是不安全的。但是拥有一个iFrame,然后无法访问顶部窗口,这将意味着无法轻松地与客户端进行交互,这将是令人沮丧的。但这不是重点。最重要的是,您可以更改一些顶部窗口属性,可以有用。试想 mashup 。它们在XSS安全性方面提出了许多挑战,但为webaps开辟了许多新的令人兴奋的可能性。要插入一些最危险的XSS漏洞,请查看由Douglas Crockford创建的ADSafe 。谷歌有一个类似的库,但我忘了它的名字ATM ......
Strictly speaking, JS isn't capable of doing this, because it lacks IO capabilities, which makes the language extremely portable. That's why browser implementations require the DOM API, to query the DOM, and request repaints or interact with the client. The DOM, though, does need IO, because it renders, and reads from the actual UI. Some people in the ECMAScript committee would rather have seen the access to the window.top heavily restricted, if not removed all together, for XSS vulnerability reasons. Sadly W3C agreed to disagree, and implemented the window.top reference anyway.
Who's right or wrong in this case? I don't know, it's easy to redirect a client to a malicious site from within an iFrame, which is unsafe. But it would be frustrating to have an iFrame, and then not having access to the top window, which would mean not being able to interact with the client as easily. But that's not the point here. Bottom line is, you can change some top window properties, and it can be useful. Just think about mashups. They pose a lot of challenges in terms of XSS safety, but open up a lot of new and exciting possibilities for webaps. To plug some of the most dangerous XSS vulnerabilities, take a look at ADSafe, which was created by Douglas Crockford. Google has a similar lib, but I forgot its name ATM...
同源政策也不适用于此。通过更改浏览器窗口中地址栏中的URL,您也可以更改 window.top.location.href 属性。如果那里存在同源限制,互联网将会死亡。您没有向其他位置发送请求,您没有从第三方资源获取数据并将其加载到您的页面中,您将浏览器重定向到另一个位置,这会关闭并清除DOM。
the Same origin policy doesn't apply here, either. By changing the url in the address bar in your browser window, you're changing the window.top.location.href property, too. If there were same-origin restrictions there, the internet would be dead. You're not sending a request to another location, you're not getting data from a third-party resource and loading it in your page, you're redirecting the browser to another location, which closes and clears the DOM.
这篇关于为什么孩子可以重定向父框架?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
