Javascript 错误:访问属性“文档”的权限被拒绝
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7995223/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
error : Permission denied to access property 'document'
提问by user603007
How can I fix this message in Firefox? I am using an Iframe which has an anchor tag? I would like to get a reference to this anchor but i am getting this error when I am trying to access anchor:
如何在 Firefox 中修复此消息?我正在使用带有锚标记的 Iframe?我想获得对此锚点的引用,但在尝试访问锚点时出现此错误:
var frameWindow = document.getElementById('myIframe').contentWindow;
var anchor = frameWindow.document.links[0]; //.getElementsByClassName('a');
anchor.onclick....
回答by Cees Timmerman
Relaxing the same-origin policy
In some circumstances the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains. Here are four techniques for relaxing it:
在某些情况下,同源策略过于严格,会给使用多个子域的大型网站带来问题。这里有四种放松它的技巧:
If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows, and each window can interact with the other. For example, cooperating scripts in documents loaded from orders.example.com and catalog.example.com might set their document.domain properties to “example.com”, thereby making the documents appear to have the same origin and enabling each document to read properties of the other. This might not always work as the port stored in the internal representation can become marked as null. In other words example.com port 80 will become example.com port null because we update document.domain. Port null might not be treated as 80 ( depending on your browser ) and hence might fail or succeed depending on your browser.
如果两个窗口(或框架)包含将 domain 设置为相同值的脚本,则这两个窗口的同源策略会放宽,并且每个窗口可以相互交互。例如,从orders.example.com 和catalog.example.com 加载的文档中的协作脚本可能会将其document.domain 属性设置为“example.com”,从而使文档看起来具有相同的来源并使每个文档都可以阅读对方的属性。这可能并不总是有效,因为存储在内部表示中的端口可能会被标记为空。换句话说,example.com 端口 80 将变为 example.com 端口 null,因为我们更新了document.domain. 端口 null 可能不会被视为 80(取决于您的浏览器),因此可能会失败或成功,具体取决于您的浏览器。
The second technique for relaxing the same-origin policy is being standardized under the name Cross-Origin Resource Sharing. This draft standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Originresponse header. It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5 and Safari 4 use this new header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy.[7]
放宽同源策略的第二种技术正在以跨源资源共享的名义进行标准化。该标准草案使用新的 Origin 请求标头和新的Access-Control-Allow-Origin响应标头扩展了 HTTP 。它允许服务器使用标头来明确列出可能请求文件的来源或使用通配符并允许任何站点请求文件。Firefox 3.5 和 Safari 4 等浏览器使用这个新标头来允许带有 XMLHttpRequest 的跨源 HTTP 请求,否则这些请求将被同源策略禁止。 [7]
Another new technique, cross-document messaging allows a script from one page to pass textual messages to a script on another page regardless of the script origins. Calling the postMessage()method on a Window object asynchronously fires an "onmessage"event in that window, triggering any user-defined event handlers. A script in one page still cannot directly access methods or variables in the other page, but they can communicate safely through this message-passing technique.
另一种新技术,跨文档消息传递允许来自一个页面的脚本将文本消息传递到另一个页面上的脚本,而不管脚本来源如何。postMessage()异步调用Window 对象上的方法会触发"onmessage"该窗口中的事件,从而触发任何用户定义的事件处理程序。一个页面中的脚本仍然无法直接访问另一页面中的方法或变量,但它们可以通过这种消息传递技术安全地进行通信。
JSONP allows a page to receive JSON data from a different domain by adding a <script>element to the page which loads a JSON response from a different domain.
JSONP 允许页面通过向<script>页面添加一个元素来从不同的域接收 JSON 数据,该元素从不同的域加载 JSON 响应。
The function call is the "P" of JSONP—the "padding" around the pure JSON, or according to somethe "prefix". By convention, the browser provides the name of the callback function as a named query parameter value, typically using the name jsonp or callback as the named query parameter field name, in its request to the server, e.g.,
函数调用是 JSONP 的“P”——围绕纯 JSON 的“填充”,或者根据某些“前缀”。按照惯例,浏览器在向服务器的请求中提供回调函数的名称作为命名查询参数值,通常使用名称 jsonp 或回调作为命名查询参数字段名称,例如,
<script type="application/javascript"
src="http://server2.example.com/Users/1234?jsonp=parseResponse">
</script>
In this example, the received payload would be:
在这个例子中,接收到的有效载荷是:
parseResponse({"Name": "Foo", "Id": 1234, "Rank": 7});
回答by Trevor
If the iframe points to a different domain, you will get this error. This is an example of your browser preventing cross-site scripting: http://en.wikipedia.org/wiki/Cross-site_scripting
如果 iframe 指向不同的域,您将收到此错误。这是您的浏览器阻止跨站点脚本的示例:http: //en.wikipedia.org/wiki/Cross-site_scripting
