Ginew.Z 的博客

一切,为了让生活更简单、更自然

  BlogJava :: 首页 :: 联系 :: 聚合  :: 管理
  21 Posts :: 0 Stories :: 14 Comments :: 0 Trackbacks

以前如果要使iframe里面的脚本能访问parent的内容,但iframe和parent的二级域名相同,那一般都会在两者都写上document.domain="xxx.com" 以放宽访问权限。

今天发现,如果iframe和parent在同一个三级域名下,比如都是aa.bb.com,那设了document.domain反而会造成访问拒绝。

查了下MSDN,有如下解释:

Remarks

The property initially returns the host name of the server from which the page is served. The property can be assigned the domain suffix to allow sharing of pages across frames. For example, a page in one frame from home.microsoft.com and a page from www.microsoft.com initially would not be able to communicate with each other. However, by setting the domain property of both pages to the suffix "microsoft.com", you ensure that both pages are considered secure and access is available between the pages.

When you set the domain property, use the domain name determined by the server rather than by the client browser.

All the pages on different hosts must have the domain property explicitly set to the same value to communicate successfully with each other. For example, the value of the domain property of a page on the host microsoft.com would be "microsoft.com" by default. It might seem logical that if you set the domain property of a page on another host named msdn.microsoft.com to "microsoft.com," that the two pages could communicate with each other. However, this is not the case unless you have also explicitly set the domain property of the page on microsoft.com to "microsoft.com".

Furthermore, this property cannot be used to allow cross-frame communication among frames with different domain suffixes. For example, a page in one frame from www.microsoft.com and a page in another frame from www.msn.com would not be able to communicate with each other even if the domain property of both pages was set to the suffix "microsoft.com".

security note Security Alert  Using this property incorrectly can compromise the security of your Web site. Set the domain property only if you must allow cross-domain scripting. Use a value determined on the server. Setting this property to a value determined on the client (like through the location object) could expose your site to attack from another site through Domain Name System (DNS) manipulation. For more information, see Security Considerations: Dynamic HTML.

For more information on domain security, see About Cross-Frame Scripting and Security.

posted on 2006-04-13 11:54 无风之雨 阅读(9347) 评论(3)  编辑  收藏 所属分类: JavaScript

Feedback

# re: document.domain与域名的问题 2012-07-26 13:48 问学堂
嗯,学习了,谢谢!  回复  更多评论
  

# re: document.domain与域名的问题 2012-07-29 18:02 jdwx
document.domain跨域问题,学习了,谢谢。  回复  更多评论
  

# re: document.domain与域名的问题 2013-05-31 08:03 lsb
好值得学习  回复  更多评论
  


只有注册用户登录后才能发表评论。


网站导航: