Home > Web Front-end > JS Tutorial > Webkit's cross-domain security issues explained_javascript skills

Webkit's cross-domain security issues explained_javascript skills

WBOY
Release: 2016-05-16 18:02:27
Original
1137 people have browsed it

Here is a simple test page: IE and Firefox pop up "hello world", but Chrome, Safari, and Opera have no response.
The following is a small piece of test code (the domain is deliberately modified so that the parent page and the child page are different domain pages):
1. Parent page code:

Copy code The code is as follows:

<script> <br>document.domain = "nunumick.me"; <br>function doTest( ){ <br>alert('hello world'); <br>} <br></script>


2. Sub-page code:
Copy code The code is as follows:

<script> <br>try{ <br>top.name; <br>}catch(e){ <br>document.domain = 'nunumick.me'; <br>top.doTest(); <br>} <br></script>

The purpose of the above code is to try to access When an exception occurs, the domain is dynamically modified to achieve smooth access, but the webkit kernel browser rudely reports an error instead of throwing an interceptable exception, and other browsers run as expected.

chrome error message:
Webkit's cross-domain security issues explained_javascript skills

It is understood that the use of this type of try catch method to make safety feasibility judgments is not just an isolated phenomenon, such as DOJO

Copy the code The code is as follows:

try{
//see if we can access the iframe's location
//without a permission denied error
var iframeSearch = _getSegment(iframeLoc.href, "?");
//good, the iframe is same origin (no thrown exception)
if(document.title != docTitle){
// sync title of main window with title of iframe.
docTitle = this.iframe.document.title = document.title;
}
}catch(e){
//permission denied - server cannot be reached.
ifrOffline = true;
console.error("dojo.hash: Error adding history
entry. Server unreachable.");
}

again For example, FCKeditor
Copy code The code is as follows:

try{
if ( (/fcksource=true/i).test( window.top.location.search ) )
sFile = 'fckeditor.original.html' ;
}
catch (e) { /* Ignore it. Much probably we are insi
de a FRAME where the "top" is in another domain (security error). */ }

There are also many feedbacks from netizens: chrome bug report

The above code does not apply to chrome, safari, or opera. I checked some information and recorded it here:
1.html5 security location
2.webkit dev lists
As seen from the discussion messages of webkit developers , they admit this problem but are unwilling to correct it, holly shit!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template