不安全的 JavaScript 尝试使用 URL 启动框架导航
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31269967/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Unsafe JavaScript attempt to initiate navigation for frame with URL
提问by Noob Coder
This is a bit complicated, please bear with me. Website A has a iframe that contains website B and website B has a iframe that contain website C.
这有点复杂,请耐心等待。网站 A 的 iframe 包含网站 B,网站 B 的 iframe 包含网站 C。
There is a button on website C, when clicked, I want to refresh url of website B. below is the javascript called to do the refresh of website B from website C, which is in an iframe
网站 C 上有一个按钮,点击后,我想刷新网站 B 的 url。下面是调用 javascript 从网站 C 刷新网站 B,它在 iframe 中
function url_update(id){
var host = 'https://websiteb.com ';
var myHost = host.split('/');
if (id != "" && myHost != ""){
try {
if (id.substring(0,1) != '/'){
id = '/' + id;
}
var dft_url = myHost[0] + '//' + myHost[2] + id;
window.parent.location.href = dft_url;
} catch(e){alert("Cannot go to the desired url location: " + dft_url);}
}
}
but when the line "window.parent.location.href = dft_url;" gets executed, I received the following error:
但是当“window.parent.location.href = dft_url;”这一行时 被执行,我收到以下错误:
Unsafe JavaScript attempt to initiate navigation for frame with URL
'https://websiteB.com' from frame with URL
'https://websiteC.com'. The frame attempting navigation is
neither same-origin with the target, nor is it the target's parent or
opener.
I don't understand why this happening and how to fix it. Any help will be appreciated.
我不明白为什么会发生这种情况以及如何解决它。任何帮助将不胜感激。
I did some research, most claimed this is an origin problem, but if I take out website A, meaning only have website B with an iframe that contains website C, then the above code works. Even though they have different domains
我做了一些研究,大多数人声称这是一个起源问题,但是如果我去掉网站 A,这意味着只有网站 B 的 iframe 包含网站 C,那么上面的代码就可以工作了。即使他们有不同的域
回答by Julien Grégtheitroade
You can find an explanation of this behavior in a comment of the Chromium source code. See here:
您可以在 Chromium 源代码的注释中找到对此行为的解释。看这里:
Basically top-level windows have less restrictions regarding navigation than other windows. See restrictions for non top windows:
基本上顶级窗口对导航的限制比其他窗口少。请参阅非顶部窗口的限制:
A document can navigate its decendant frames, or, more generally, a document can navigate a frame if the document is in the same origin as any of that frame's ancestors (in the frame hierarchy).
文档可以导航其后代框架,或者更一般地说,如果文档与该框架的任何祖先(在框架层次结构中)位于同一原点,则该文档可以导航该框架。
Where as for top window:
至于顶部窗口:
Specifically, a document can navigate a top-level frame if that frame opened the document or if the document is the same-origin with any of the top-level frame's opener's ancestors (in the frame hierarchy).
具体而言,如果该框架打开了该文档,或者该文档与任何顶级框架的开启者的祖先(在框架层次结构中)同源,则该文档可以导航顶级框架。
Reason for that is:
原因是:
Top-level frames are easier to navigate than other frames because they display their URLs in the address bar (in most browsers).
顶级框架比其他框架更容易导航,因为它们在地址栏中显示它们的 URL(在大多数浏览器中)。
So basically, for a non top window, it absolutely needs to be same origin to allow navigation, but for top windows, a frame that was opened by that window can navigate even if it's not same-origin. Which seems to be the problem you're facing, when B is top, the same origin doesn't apply, but when it's not top, then it applies.
所以基本上,对于非顶部窗口,它绝对需要同源以允许导航,但对于顶部窗口,由该窗口打开的框架可以导航,即使它不是同源的。这似乎是您面临的问题,当 B 处于顶部时,同源不适用,但当它不是顶部时,则适用。
According to this, I'm not sure there's a straightforward, or any at all, solution.
据此,我不确定是否有一个简单的解决方案,或者根本没有解决方案。
