同源政策不起作用

时间:2014-03-25 20:26:05

标签: javascript html cross-domain same-origin-policy

我试图通过我创建的小型演示来理解相同的原始策略。但不知何故出现了问题。以下是2个不同域(我在XAMP中托管的虚拟域)上的html文件: -

  

domain1.com

<html>
<title>
 DOMAIN1.COM
</title>
<script>
 function showTheirSecret() 
 {
var   stolenSecret=document.getElementById('stealSecret').contentWindow.document.getElementsByName("mySecret")[0].value;
if (stolenSecret)
{
    alert("Script on this page accessed the secret box and says "+stolenSecret);
}
else
    alert("Script on this page can not access the secret box!! ");  
}
</script>
<body>
  WELCOME TO <h1>domain1.com</h1><br>
  This is the contents on domain1.com. <br>
  These can not be accessed by domain2.com
  <br>
  <br>
  <iframe id="stealSecret"  src="http://localhost/~user/training/domain2.com/"></iframe>
  <br>
  <br>
  <h2>
  Click the "ok" button to see domain 2's secret text.
  </h2>
  <input type="button" value="stealData" onclick="javascript:showTheirSecret()">
  </body>
</html>
  

domain2.com

<html>
<title>
  DOMAIN2.COM
</title>
<script type="text/javascript">
function showMe() 
{
var secret=document.getElementsByName("mySecret")[0].value;
if(secret)
{
    alert("Script on this page accessed the secret box and says "+secret);
}
else
    alert("Script on this page can not access the secret box!! ");
}
 </script>
 <body>
   WELCOME TO <h1>domain2.com</h1><br>
   This is the contents on domain2.com. <br>
   These can not be accessed by domain1.com
   <br>
   <h2> 
   Put your secret text here !! 
   </h2> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
   <h2>
Click the "ok" button to see your own text.
</h2>
<input type="password" name="mySecret" value ="">
<input type="button" value="ok" onclick="javascript:showMe()">
</body>

现在让我说我在domain1.com和iframe(拥有domain2.com),我在iframe的文本框中添加了一些文本。现在我点击&#34; stealData&#34;按钮。理想情况下,我期待的是,相同的原始策略应该启动,我不应该被允许访问iframe中文本框的内容。同样应该在Firefox的java脚本控制台中作为错误可见。但这并没有真正发生。为什么?

1 个答案:

答案 0 :(得分:0)

感谢所有人。在通过RichieHIndle的评论之后,我意识到设置域名本身是一个错误。我的域的httpd-vhosts.conf条目不正确。纠正这个文件完成了工作,我得到了我所期待的。我可以看到同样的原产地政策。