允许 HTTP iFrame 在 HTTPS 父框架上调用 JavaScript
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3331548/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Allowing HTTP iFrame to call JavaScript on HTTPS parent frame
提问by user401833
I have an https page (https://example.com/main.php) that has an iframe with a non-https source (http://example.com/inner.php). Both files are on the same server - just one is accessed with https and the other is not. I need the non-https page to be able to execute javascript on the https main.phppage using code such as parent.myfunction()
我有一个 https 页面(https://example.com/main.php),它有一个带有非 https 源(http://example.com/inner.php)的 iframe 。两个文件都在同一台服务器上 - 只有一个通过 https 访问,另一个没有。我需要非 https 页面才能main.php使用代码在 https页面上执行 javascript,例如parent.myfunction()
However, when I try this, I get the following error:
但是,当我尝试此操作时,出现以下错误:
Unsafe JavaScript attempt to access frame with URL https://example.com/main.phpfrom frame with url http://example.com/inner.php. Domains, protocols and ports must match.
不安全的 JavaScript 尝试从具有 url http://example.com/inner.php 的框架访问具有 URL https://example.com/main.php的框架。域、协议和端口必须匹配。
I have set document.domain = 'example.com'on both files and I thought that would fix it, however, it does not. Is there any way to allow the frame to execute javascripts on the parent frame and vice-versa? If so, what are the security implications of this?
我已经设置document.domain = 'example.com'了两个文件,我认为这会解决它,但是,它没有。有什么方法可以让框架在父框架上执行 javascripts,反之亦然?如果是这样,这对安全有什么影响?
PS: For those of you that will suggest just using https or http for both pages, I am looking into that. However, due to the processes occuring in the iframe page, this might not be a a feasible option due to server load issues.
PS:对于那些建议只对两个页面使用 https 或 http 的人,我正在调查。但是,由于 iframe 页面中发生的进程,由于服务器负载问题,这可能不是一个可行的选项。
回答by Pointy
The "Same Origin Policy" covers the protocol ("http" or "https"), the hostname, and the port number. All of those have to match or you lose.
“同源策略”涵盖协议(“http”或“https”)、主机名和端口号。所有这些都必须匹配,否则你就输了。
If your server load would really be affected by having to apply encryption to the <iframe>page, then I suspect you've got other, far more serious problems. In this day and age that really shouldn't be an issue. If you've got a massively high-traffic site, then you probably should be using a front-end to do the SSL anyway.
如果您的服务器负载真的会因必须对<iframe>页面应用加密而受到影响,那么我怀疑您还有其他更严重的问题。在这个时代,这真的不应该成为问题。如果您有一个庞大的高流量站点,那么无论如何您可能应该使用前端来执行 SSL。
回答by Borealid
If it were everpossible to do what you are asking to do, no SSL-secured web site would ever be safe.
如果是以往任何时候都可以做到你所要求做什么,没有SSL保护的网站将永远是安全的。
Let me describe the problem. Let's say a user, Alice, goes to access her account on Paypal.com. I, Mallory, am between Paypal and Alice. As Alice accesses Paypal, I intercept her request and return a page containing two things: one frame with https://paypal.com, and one containing a page purporting to be 'http://my.paypal.com', which I crafted myself. The HTTPS frame validates fine because it actually came from Paypal. The HTTP frame contains some Javascript of my device which will reach into the HTTPS frame, and when Alice enters her password it will send it to me!
让我描述一下问题。假设用户 Alice 去访问她在 Paypal.com 上的帐户。我,马洛里,介于 Paypal 和 Alice 之间。当 Alice 访问 Paypal 时,我拦截了她的请求并返回了一个包含两件事的页面:一个带有https://paypal.com 的框架,另一个包含一个声称是“ http://my.paypal.com”的页面,我自己制作的。HTTPS 框架验证良好,因为它实际上来自 Paypal。HTTP 帧包含我的设备的一些 Javascript,它将进入 HTTPS 帧,当 Alice 输入她的密码时,它将发送给我!
So no, it's not OK to access secure content from insecure content, even on the same domain.
所以不,即使在同一个域中,从不安全的内容访问安全内容也是不行的。
回答by Warty
You can not do cross-domain/cross-protocol/cross-port access with JavaScript. This is known as "cross domain scripting", which is an issue since without security like this, I could open up GMail in an iframe, get the "u" and "p" textboxes, and have a user's login info like that.
您无法使用 JavaScript 进行跨域/跨协议/跨端口访问。这被称为“跨域脚本”,这是一个问题,因为没有这样的安全性,我可以在 iframe 中打开 GMail,获取“u”和“p”文本框,并拥有这样的用户登录信息。
What you put in your PS is the only real solution you can use besides using an echo server... which would be overkill.
除了使用回声服务器之外,您在 PS 中放入的内容是唯一可以使用的真正解决方案……这有点矫枉过正。
![window[] 和 eval() 之间的区别 - Javascript](/res/img/loading.gif)