How exactly is the same-domain policy enforced?

末鹿安然 提交于 2019-12-17 16:34:01

问题


Let's say I have a domain, js.mydomain.com, and it points to some IP address, and some other domain, requests.mydomain.com, which points to a different IP address. Can a .js file downloaded from js.mydomain.com make Ajax requests to requests.mydomain.com?

How exactly do modern browsers enforce the same-domain policy?


回答1:


The short answer to your question is no: for AJAX calls, you can only access the same hostname (and port / scheme) as your page was loaded from.

There are a couple of work-arounds: one is to create a URL in foo.example.com that acts as a reverse proxy for bar.example.com. The browser doesn't care where the request is actually fulfilled, as long as the hostname matches. If you already have a front-end Apache webserver, this won't be too difficult.

Another alternative is AJAST, which works by inserting script tags into your document. I believe that this is how Google APIs work.

You'll find a good description of the same origin policy here: http://code.google.com/p/browsersec/wiki/Part2




回答2:


This won't work because the host name is different. Two pages are considered to be from the same origin if they have the same host, protocol and port.

From Wikipedia on the same origin policy:

The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same.



来源:https://stackoverflow.com/questions/929677/how-exactly-is-the-same-domain-policy-enforced

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!