I understand that cross site scripting (xss) is not good and is not supported in most browsers. However, I am building a page to be used only by about 3 or 4 people within my company. On this page I have a frame from another domain and I need the parent page to be able to access the values within that frame.
我知道跨站点脚本(xss)并不好,大多数浏览器都不支持。但是,我正在构建一个页面,仅供我公司内约3或4人使用。在这个页面上,我有一个来自另一个域的框架,我需要父页面才能访问该框架中的值。
So my question is, is there a way (changing settings, etc), in either Firefox or IE7, to allow this to happen? Preferably (though not necessarily) any setting change would be for my domain explicitly.
所以我的问题是,有没有办法(更改设置等),在Firefox或IE7中,允许这种情况发生?优选地(但不一定)任何设置更改将明确地针对我的域。
I've found some help online that says that in FF you can add capability.policy to allow this. I haven't had any luck though, perhaps that isn't supported in FF3.
我在网上找到了一些帮助,说在FF中你可以添加capability.policy来实现这一点。我没有运气,也许FF3不支持。
3 个解决方案
#1
For those looking, there is a great backwards-compatible, javascript-only way to communicate across domains. Short, easy code as well. Perfect solution? As long as you have request modifications to the parent and the child:
对于那些寻找,有一个伟大的向后兼容,javascript唯一的方式跨域通信。简短易用的代码。完美解决方案只要您对父母和孩子进行了修改请求:
http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/
#2
A couple ideas of the top of my head:
我头脑中的几个想法:
-
In IE you can change the settings for the security zone that your site is in. I suggest you add the domains to "Trusted sites" and then make sure that ""Access data sources across domains." is enabled for the Trusted Sites-zone. You can find more info here.
在IE中,您可以更改站点所在安全区域的设置。我建议您将域添加到“可信站点”,然后确保为“可信站点”区域启用“”跨域访问数据源。“你可以在这里找到更多信息。
-
If you have a domain-name which you have control over, maybe you can set up sub-domains which point to the sites in the different frames? Thereby fooling the web browser that they are part of the same site?
如果您有一个可以控制的域名,也许您可以设置指向不同帧中的站点的子域?从而欺骗网络浏览器,他们是同一网站的一部分?
-
If you like coding you can create a custom app which uses the IE-browser control and implements its own IInternetSecurityManager (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) which allows cross-domain script access.
如果您喜欢编码,您可以创建一个使用IE浏览器控件的自定义应用程序,并实现自己的IInternetSecurityManager(http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx)跨域脚本访问。
#3
Another option is to set up a proxy page so that the pages appear to originate in the same domain. Proxy pages can be terribly vulnerable to XSS, depending on implementation. Even though you state that that's not a concern here, it's important to consider.
另一个选项是设置代理页面,以使页面看起来来自同一个域。代理页面可能非常容易受到XSS的攻击,具体取决于实现。即使您声明这不是一个问题,但重要的是要考虑。
#1
For those looking, there is a great backwards-compatible, javascript-only way to communicate across domains. Short, easy code as well. Perfect solution? As long as you have request modifications to the parent and the child:
对于那些寻找,有一个伟大的向后兼容,javascript唯一的方式跨域通信。简短易用的代码。完美解决方案只要您对父母和孩子进行了修改请求:
http://www.onlineaspect.com/2010/01/15/backwards-compatible-postmessage/
#2
A couple ideas of the top of my head:
我头脑中的几个想法:
-
In IE you can change the settings for the security zone that your site is in. I suggest you add the domains to "Trusted sites" and then make sure that ""Access data sources across domains." is enabled for the Trusted Sites-zone. You can find more info here.
在IE中,您可以更改站点所在安全区域的设置。我建议您将域添加到“可信站点”,然后确保为“可信站点”区域启用“”跨域访问数据源。“你可以在这里找到更多信息。
-
If you have a domain-name which you have control over, maybe you can set up sub-domains which point to the sites in the different frames? Thereby fooling the web browser that they are part of the same site?
如果您有一个可以控制的域名,也许您可以设置指向不同帧中的站点的子域?从而欺骗网络浏览器,他们是同一网站的一部分?
-
If you like coding you can create a custom app which uses the IE-browser control and implements its own IInternetSecurityManager (http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx) which allows cross-domain script access.
如果您喜欢编码,您可以创建一个使用IE浏览器控件的自定义应用程序,并实现自己的IInternetSecurityManager(http://msdn.microsoft.com/en-us/library/ms537130(VS.85).aspx)跨域脚本访问。
#3
Another option is to set up a proxy page so that the pages appear to originate in the same domain. Proxy pages can be terribly vulnerable to XSS, depending on implementation. Even though you state that that's not a concern here, it's important to consider.
另一个选项是设置代理页面,以使页面看起来来自同一个域。代理页面可能非常容易受到XSS的攻击,具体取决于实现。即使您声明这不是一个问题,但重要的是要考虑。