[英]Same origin policy seemingly not working
I'm trying to understand the same origin policy in detail. 我试图详细了解相同的原产地政策。 To this end i tried to see how it worked with code (i'm a total noob in web development) so i started a Flask server and created a domain
local.com
and a subdomain store.local.com
. 为此,我尝试查看它如何与代码一起使用(我在Web开发中完全是菜鸟),所以我启动了Flask服务器,并创建了一个域
local.com
和一个子域store.local.com
。 Then in the store.html
page of the subdomain i created an iframe
with src=http://local.com
- without modifying the document.domain
property in any way as read here . 然后在
store.html
子域中的页面我创建了一个iframe
与src=http://local.com
-无需修改document.domain
为已读以任何方式财产这里 。
Now from what i had read, i tought this would fail, but instead it correctly shows the content of the super domain index.html
page. 现在,从我阅读的内容来看,我相信这将失败,但是可以正确显示超级域
index.html
页面的内容。 I've repeated the experiment hosting the two domains on two different physical computers but that didn't change anything. 我已经重复了在两个不同的物理计算机上托管两个域的实验,但这并没有改变。 (I've tried both Firefox and Chrome)
(我已经尝试过Firefox和Chrome)
Now i've also tried with with src=http://google.com
and this does actually get stopped by the SOP. 现在,我也尝试使用
src=http://google.com
而实际上这确实被SOP阻止了。 So at the moment i'm kind of in deep confusion, could anyone pls help me make some sense of it? 所以,目前我有点困惑,有人可以帮我一下吗? Thanks.
谢谢。
IFrames are generally exempt from the same origin policy. 通常,iframe不受同一原始政策的约束。
However, if you look at the HTTP response headers when you call http://google.com
, you will see the following header: 但是,如果在调用
http://google.com
时查看HTTP响应标头,则会看到以下标头:
x-frame-options:SAMEORIGIN
This explicitly tells your browser that it should prevent the page from being displayed across origins . 这明确地告诉您的浏览器,它应该防止页面在不同来源之间显示 。
MDN describes this particular behavior: MDN描述了这种特定行为:
Here are some examples of resources which may be embedded cross-origin:
以下是一些可跨域嵌入的资源示例:
[...]
[...]
- Anything with
<frame>
and<iframe>
.任何带有
<frame>
和<iframe>
。 A site can use theX-Frame-Options
header to prevent this form of cross-origin interaction.站点可以使用
X-Frame-Options
标头来防止这种形式的跨域交互。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.