220.127.116.11 Relaxing the same-origin policy
In some circumstances, the same-origin policy is too restrictive. This section describes three techniques for relaxing it.
The same-origin policy poses problems for large websites that use multiple subdomains. For example, a script in a document from home.example.com might legitimately want to read properties of a document loaded from developer.example.com, or scripts from orders.example.com might need to read properties from documents on catalog.example.com. To support multidomain websites of this sort, you can use the domain property of the Document object. By default, the domain property contains the host-name of the server from which the document was loaded. You can set this property, but only to a string that is a valid domain suffix of itself. Thus, if domain is originally the string “home.example.com”, you can set it to the string “example.com”, but not to “home.example” or “ample.com”. Furthermore, the domain value must have at least one dot in it; you cannot set it to “com” or any other top-level domain.
If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows, and each window can interact with the other. For example, cooperating scripts in documents loaded from orders.example.com and catalog.example.com might set their document.domain properties to “example.com”, thereby making the documents appear to have the same origin and enabling each document to read properties of the other.
The second technique for relaxing the same-origin policy is being standardized under the name Cross-Origin Resource Sharing (see http://www.w3.org/TR/cors/ ). This draft standard extends HTTP with a new Origin:request header and a new Access-ControlAllow-Origin response header. It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5 and Safari 4 use this new header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy.
13.6 Security | 335
Another new technique, known as cross-document messaging, allows a script from one document to pass textual messages to a script in another document, regardless of the script origins. Calling the postMessage() method on a Window object results in the asynchronous delivery of a message event (you can handle it with an onmessage event handler function) to the document in that window. A script in one document still cannot invoke methods or read properties of the other document, but they can communicate safely through this message-passing technique. See §22.3 for more on the cross-document messaging API.欢迎转载,转载请注明来自一手册:http://yishouce.com/book/1/27953.html