[英]Executing JavaScript on an iframe's contents from a different domain
Is this denied by the browser? 浏览器拒绝了吗? Is it possible?
可能吗?
If so, are that browser bugs that allow it to happen? 如果是这样,那是浏览器的错误使之发生吗? I noticed this:
我注意到了这一点:
http://html5sec.org http://html5sec.org
How can you close these bugs and prevent them from working on your website? 您如何关闭这些错误并阻止它们在您的网站上运行? Can I detect if someone is trying to execute javascript from another domain?
我可以检测是否有人试图从另一个域执行javascript吗?
Thanks. 谢谢。
Javascript is executed by the browser, not the server. Javascript是由浏览器而不是服务器执行的。 If a user wanted to, they can execute javascript on a website without an iframe.
如果用户愿意,他们可以在没有iframe的网站上执行javascript。 (Type
javascript:alert('hello');
in the address bar). (在地址栏中输入
javascript:alert('hello');
)。
You can not stop this, because it is being executed on the client, not on your site itself. 您不能停止此操作,因为它是在客户端而不是站点本身上执行的。 Design your site in a way that no matter what they do with javascript, it can not affect the integrity of your site.
设计网站的方式无论使用JavaScript做什么,都不会影响网站的完整性。 Use server-side authentication and sessions, sanitize your database input , and do not do any security-based operations on the client side.
使用服务器端身份验证和会话, 清理数据库输入 ,并且不要在客户端上执行任何基于安全性的操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.