Javascript 对子域的 AJAX 调用是否被视为跨站点脚本?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3040514/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Are AJAX calls to a sub-domain considered Cross Site Scripting?
提问by AaronPresley
I have Server A (www.example.com) sending information to Server B. I can only have HTML / JS on Server A (and have to do the "crunching" on Server B) so I'm trying to send form data via AJAX (trying to avoid a form post to Server B - don't ask).
我有服务器 A (www.example.com) 向服务器 B 发送信息。我只能在服务器 A 上使用 HTML/JS(并且必须在服务器 B 上进行“处理”)所以我试图通过AJAX(试图避免向服务器 B 发送表单 - 不要问)。
Obviously doing an AJAX call cross-domain is considered XSS and a big no-no, but if I were to put Server B in a subdomain (sub.example.com), would that be considered okay? How are cross-domain errors detected? Does the browser look up DNS records? IP address?
显然,跨域进行 AJAX 调用被认为是 XSS 和一个很大的禁忌,但如果我将服务器 B 放在子域(sub.example.com)中,那会被认为好吗?如何检测跨域错误?浏览器会查找 DNS 记录吗?IP地址?
Thanks in advance for you help.
预先感谢您的帮助。
回答by Ben S
Sub-domains are considered different and will fail the Same Origin Policyunless both sub-domains declare the same document.domainDOM property (and even then, different browsers behave differently).
子域被认为是不同的,除非两个子域声明相同的DOM 属性(即使如此,不同的浏览器的行为也不同),否则将无法通过同源策略document.domain。
回答by Quentin
Short answer: No. See the Same Origin Policy
简短回答:否。请参阅同源政策
You can only make an XHR request to the same host, port, and protocol.
您只能向相同的主机、端口和协议发出 XHR 请求。
If you want to do Ajax without sticking to that, you can look at JSON-P.
如果您想在不坚持的情况下使用 Ajax,您可以查看JSON-P。
(XSS is a completely different kettle of fish, in which a site allows data to be injected into it (e.g. via a URI) that gets treated as JS allowing third parties to direct people to your site, while they are logged into it, and steal or edit data.)
(XSS 是一种完全不同的鱼缸,其中一个站点允许将数据注入其中(例如通过 URI),这些数据被视为 JS,允许第三方在人们登录时将人们引导到您的站点,并且窃取或编辑数据。)
