問題描述

在很多地方，我看到人們談論過跨域 XMLHttpRequest，由于某些安全原因，這是不可能的.但是，我還沒有找到說明這些安全原因究竟是什么的帖子?

In many places I've seen people have talked about the Cross-Domain XMLHttpRequest, which is not possible, due to some security reasons. However, I haven't found a post indicating what those security reasons actually are?

人們提到 JSONP 是很好的替代方案之一.另一種選擇是使用 Origin 和 Access-Control-Allow-Origin 標頭.

People have mentioned that JSONP is one of the good alternatives. Another alternative would be to use Origin and Access-Control-Allow-Origin headers.

但是，我只想知道跨域使用 XMLHttpRequest 會引發哪些安全問題?

However, I just want to know what security problems can be raised due to cross-domain XMLHttpRequest usage?

推薦答案

我認為最好回答你的問題，例如為什么它會非常糟糕.

I think it would be best to answer your question of an example of WHY it would be horrendously bad.

您訪問我的網站 (example.org).我加載了一個向 facebook.com/messages/from/yourgirlfriend 發出客戶端 AJAX 請求的腳本.你碰巧登錄了 facebook，你的瀏覽器告訴 Facebook 我的請求實際上是你.Facebook 很高興地向我提出了關于你想嘗試的奇怪性行為的信息.我現在知道了一些你可能不想讓我知道的關于你的事情.

You go to my website (example.org). I load a script that makes a client-side AJAX request to facebook.com/messages/from/yourgirlfriend. You happened to be logged in to facebook, and your browser tells Facebook that my request is actually you. Facebook happily gives my request that message about the strange sexual things you want to try. I now know things about you you probably didn't want me to know.

這當然是夸張了，幸好由于同源政策是不可能的.

This, of course is a wild exaggeration, and thankfully not possible thanks to the same origin policy.

你現在不覺得更安全了嗎?

Don't you feel safer now?

這篇關于使用跨域 XMLHttpRequest 有哪些安全風險?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！