同源政策:了解拒绝阅读
[英]Same-Origin Policy: Understanding Deny Read
问题描述
This MSDN article explains that READS are not permitted by the same-origin policy . 
此MSDN文章解释了same-origin policy不允许READS。
Specifically, it says: 具体来说,它说:
Webpage from Origin A:
May include (execute) a frame pointed at a HTML page from “B”
Must not be permitted to get the inner HTML of that frame
How can another html file be "included (executed)", without the content of it being accessed? 如何在不访问其内容的情况下“包含(执行)”另一个html文件?
What does "included (executed)" even mean in this context? 在这种情况下,“包括(执行)”是什么意思?
1 个解决方案
解决方案1
2 已采纳 2018-07-02 15:21:17
This is referring to the fact that the user viewing the page can see the content of the iframe, but scripts running on the framing page cannot access the content of the framed page. 这是指以下事实:查看页面的用户可以看到iframe的内容,但是在框架页面上运行的脚本无法访问框架页面的内容。 Consider analogously that an <img> tag will show an image from any origin to a user, but scripts within the page that contains the <img> tag might not be able to read the contents of the loaded image. 类似地考虑, <img>标签将向用户显示任何来源的图像,但是包含<img>标签的页面中的脚本可能无法读取加载的图像的内容。
This is important because the framed page is from a different origin and was fetched using the user's cookies from that origin. 这很重要,因为框架页面来自不同的来源,并且是使用该来源的用户Cookie提取的。 Suppose the framed page was mail.google.com : certainly I don't want any random webpage to read the contents of my inbox simply by loading it in an iframe. 假设带有框架的页面是mail.google.com :当然,我不希望任何随机网页仅通过将其加载到iframe中来读取收件箱中的内容。 However, merely showing the page to me, the user who happens to be logged in to my mail service, is harmless. 但是,仅向我显示页面,恰好登录到我的邮件服务的用户是无害的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.