问题描述
使用 window.open
打开的页面是否可以由跨域打开程序检查其自身?(这是在内部应用程序中使用的,因此安全性不是一个大问题.)如果是这样,怎么做?我尝试替换所有我能找到的CORS和Same-Origin策略,但在子窗口的所有属性上仍然得到 Access Denied
.
Is it possible for a page opened with window.open
to allow itself to be examined by a cross-origin opener? (This is for use in internal applications, so security is not a significant concern.) And if so, how? I've tried replacing all of the CORS and Same-Origin policies I can find and I still get Access Denied
on all properties for a child window.
特别是我正在尝试使用 Internet Explorer 11
In particular I am trying to use Internet Explorer 11
标题
这些都是我到目前为止尝试过的所有标头
Access-Control-Allow-Origin: http://web1.corp.local
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma
Access-Control-Expose-Methods: GET,POST,OPTION,PUT,DELETE,HEAD
X-Content-Security-Policy: default-src *;script-src *
Content-Security-Policy: default-src *;script-src *
X-XSS-Protection: 0
X-Permitted-Cross-Domain-Policies: all
我要做什么...
我希望 web1.corp.local
在 web2.corp.local
的页面上执行一些JavaScript.我控制两个域;我只是通过某种方式让 web2
告诉浏览器可以让 web1
读取并执行 web2
上的内容.
I want web1.corp.local
to execute some JavaScript on a page on web2.corp.local
. I control both domains; I just some way for web2
to tell the browser its okay for web1
to read and execute things on web2
.
对 http://web1.corp.local
我正在尝试通过打开器在打开的窗口中调用javascript函数.
I'm trying to call javascript functions on the opened window from the opener.
document.domain = "corp.local";
var web2 = window.open('http://web2.corp.local');
web2.document; //Throw "Access Denied"
web2.MyApp; // undefined
http://web2.corp.local
document.domain = "corp.local";
var myapp = window.MyApp = {
doWork: function() {
alert('Hello World!');
}
};
注意:我有一个使用iframe代理和 window.postMessage
的解决方案,但是在 web2
上托管的应用无法正常运行在iframe中.
Note: I have a solution using an iframe proxy and window.postMessage
but the app hosted on web2
doesn't work correctly from within an iframe.
更新:问题是两个页面未使用 document.domain
,并且我在打开的窗口中未找到异常.
Update: The issue was the two pages were not using the document.domain
and I missed the exception on the opened window.
推荐答案
问题出在document.domain.第二个站点与第一个站点不在同一域中.更改web1的FQDN并使用 document.domain = corp.local
后,问题就解决了.
The issue was the document.domain. The second site was not in the same domain as the first. As soon as I changed the FQDN of web1 and used document.domain = corp.local
the problem was solved.
我错过了 document.domain
上的一个javascript文件引发的异常.
I missed the exception being thrown by one of the javascript files on document.domain
.
这篇关于使用window.open打开页面时,打开的页面如何允许打开器访问其内容?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!