Chrome 用户脚本错误:“不安全的 JavaScript 尝试访问框架”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10666258/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Chrome userscript error: "Unsafe JavaScript attempt to access frame"
提问by yellow-saint
// the iframe of the div I need to access
var iframe = document.getElementsByTagName("iframe")[2];
var innerDoc = iframe.contentDocument || iframe.contentWindow.document;
// resize 'player' in the iframe
innerDoc.getElementById('player').width = "1000px";
innerDoc.getElementById('player').height = "650px";
Running in a userscript for this url: http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60
在此网址的用户脚本中运行:http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60
Why does Chrome come out with this error and fail the script?:
为什么 Chrome 会出现此错误并导致脚本失败?:
Unsafe JavaScript attempt to access frame with URL http://www.sockshare.com/embed/24DA6EAA2561FD60
from frame with URL http://www.free-tv-video-online.me/player/sockshare.php?id=24DA6EAA2561FD60.
Domains, protocols and ports must match.
(I'm only a basic Javascript user)
(我只是一个基本的 Javascript 用户)
Final code, many thanks to the answerer:
最终代码,非常感谢回答者:
// ==UserScript==
// @name Resize
// @include http://www.free-tv-video-online.me/player/sockshare.php*
// @include http://www.sockshare.com/*
// ==/UserScript==
if (!(window.top === window.self)) {
var player = document.getElementById('player');
setSize(player);
}
function setSize(player) {
player.style.setProperty("width", "1000px");
player.style.setProperty("height", "650px");
}
回答by Brock Adams
It's true that ordinary javascript cannot access iframe content, that's on a different domain, for security reasons. However, this by no means stops userscripts in Chrome, Tampermonkey or Greasemonkey.
确实,出于安全原因,普通 javascript 无法访问位于不同域中的 iframe 内容。 但是,这绝不会停止 Chrome、Tampermonkey 或 Greasemonkey 中的用户脚本。
You can process iframed content in a userscript because Chrome (and Firefox) process iframe'd pages just as if they were the main page. Accounting for that, scripting such pages is a snap.
您可以在用户脚本中处理 iframe 内容,因为 Chrome(和 Firefox)处理 iframe 的页面就像它们是主页面一样。考虑到这一点,编写此类页面的脚本很容易。
For example, suppose you have this page at domain_A.com:
例如,假设您在domain_A.com 上有这个页面:
<html>
<body>
<iframe src="http://domain_B.com/SomePage.htm"></iframe>
</body>
</html>
If you set your @matchdirectives like this:
如果您@match像这样设置指令:
// @match http://domain_A.com/*
// @match http://domain_B.com/*
Then your script will run twice -- once on the main page and once on the iframe as though it were a standalone page.
然后您的脚本将运行两次——一次在主页面上,一次在 iframe 上,就好像它是一个独立的页面一样。
So if your script was like this:
所以如果你的脚本是这样的:
// ==UserScript==
// @name _Test iFrame processing in Chrome and Tampermonkey
// @match http://domain_A.com/*
// @match http://domain_B.com/*
// ==/UserScript==
if (/domain_A\.com/i.test (document.location.href) ) {
//Main page
document.body.style.setProperty ("background", "lime", "important");
}
else {
//iFrame
document.body.style.setProperty ("background", "pink", "important");
}
You would see the main page in lime-green, and the iframed page in pink.
您会看到浅绿色的主页和粉红色的 iframe 页面。
Alternatively, you can test like this:
或者,您可以这样测试:
if (window.top === window.self) {
//--- Code to run when page is the main site...
}
else {
//--- Code to run when page is in an iframe...
}
As you discovered (per comment on another answer), you can disable the same origin policy on Chrome. Don't do this!You will leave yourself open to all kinds of shenanigans set up by bad people. In addition to evil sites, many nominally "good" sites -- that allow users to post content -- could potentially track, hack, or spoof you.
正如您所发现的(根据对另一个答案的评论),您可以在 Chrome 上禁用同源策略。不要这样做!你会让自己对坏人设置的各种恶作剧持开放态度。除了邪恶站点之外,许多名义上的“好”站点——允许用户发布内容——可能会跟踪、攻击或欺骗您。
回答by Sherms
For security reasons your browser won't allow you to access javascript in an iframe from another domain.
出于安全原因,您的浏览器不允许您从另一个域访问 iframe 中的 javascript。
See the top answer here:
请参阅此处的最佳答案:
