Cross Domain JavaScript parent location setting firefox error

前端 未结 2 800
星月不相逢
星月不相逢 2021-02-05 23:37

Here is the case:
page A contains iframe B, B contains iframe C, A and B are under the same domain, C under another.
C tries to reset parent B\'s location with extra i

2条回答
  •  一生所求
    2021-02-06 00:04

    Historically, any window could change the location of any other window. This turned out to be a problem because, among other things, it meant embedding a login iframe in a window was unsafe (because then a malicious site could replace the login iframe with a spoofed version). Over time further restrictions have been applied to location changes to browser windows, until now, when HTML5 and most browsers have reached common agreement on the ancestor policy. In a nutshell, paraphrasing the HTML5 specification, a window A can change the location of another window B iff:

    • the locations of A and B have the same origin, which is to say they have the same scheme, host, and port (http, stackoverflow.com, 80 for example), or
    • B is a top-level window, and A is a window in a frame nested at some depth within B (direct child, child of a child, etc.), or
    • B is a window opened using window.open and A can change the location of the window that opened B (so B is a popup opened by A, by a popup window opened by A, or at greater depth), or
    • B isn't a top-level window, but its parent window, or its parent's parent window, or at some similar amount of parentage the locations of that window and A are same-origin

    (Same origin is more complicated than this, but the embedded description above catches its essence and covers the most common cases.)

    Under this policy, C may change the location of A, and A may change the location of B or C, but C may not change the location of B. If you need to work around this, then you should change your page A's location to something that changes B as appropriate; alternately, you could ask your page B to change its own location.

    Hopefully that's informative, if not necessarily helpful. The browser security model wasn't so much designed as evolved, and only with recent work in HTML5 is it really being precisely nailed down to address these cross-browser inconsistencies.

    All that said, I'm surprised IE7 and IE8 work for you -- it was my understanding the above policy was primarily based upon the policy IE7 implemented.

提交回复
热议问题