同源策略是众多安全策略中的一个,是web层面的策略。
Incomputing, the same-origin policy is an important concept in the web application security
model.Under the policy, a web browser permits scripts( browser-side programming languages, such as JavaScript)contained in a first web page to access data(methods and properties )in a second web page,but only if both web pages have the same origin.
源的含义
An origin is defined as a combinationofURI scheme, host name, and port number.
如果两个URL的协议、域名和端口相同,则称它们同源。相反只要协议,域名,端口有任何一个的不同,就被当作是跨域。
为什么要使用同源策略
The same-origin policyhelps protect sites that use authenticated sessions. The following exampleillustrates a potential security risk that could arise without the same-originpolicy.
Assume that a user isvisiting a banking website and doesn't log out. Then, the user goes to anothersite that has some malicious JavaScript code running in the background thatrequests data from the banking site. Because the user is still logged in on thebanking site, the malicious code could do anything the user could do on thebanking site. For example, it could get a list of the user's last transactions,create a new transaction, etc. This is because the browser can send and receivesession cookies to the banking site based on the domain of the banking site.
The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRFprotections bythe banking site would not be effective. The same-origin policyrestricts how a document or script loaded from one origin can interact with aresource from another origin. It is a critical security mechanism for isolatingpotentially malicious documents.
Thispolicy prevents a malicious script on one page from obtaining access tosensitive data on another web page through that page'sDocument Object Model.
同源策略的含义
同源策略限制了不同源之间的交互,但是有人也许会有疑问,我们以前在写代码的时候也常常会引用其他域名的js文件,样式文件,图片文件什么的,没看到限制啊,这个定义是不是错了?其实不然,同源策略的含义包含以下几点
在浏览器中,<script>、<img>、<iframe>、<link>等标签都可以加载跨域资源,而不受同源限制,同源策略只对网页的HTML文档做了限制,对加载的其他跨域静态资源如javascript、css、图片等仍然认为属于同源。
页面中的链接,重定向以及表单提交是不会受到同源策略限制的。链接就不用说了,导航网站上的链接都是链接到其他站点的。而你在域名www.foo.com下面提交一个表单到www.bar.com是完全可以的。现在同源策略还被用来判断一个XMLHTTPRequest(AJAX)是否合法,一个页面只能向同一个源的服务器发起AJAX请求。
浏览器限制了JavaScript的权限使其不能读、写上述加载的内容。脚本本身的来源与同源策略无关,相关的是脚本所嵌入的文档的来源,脚本只可以访问和它所嵌入的文档同源的资源;脚本虽然可以打开和关闭一个用来载入不同源文档的新窗口,但不能访问该窗口的任何内容。
不同源(URL)中的嵌入客户端脚本(javascript、ActionScript)在没明确授权的情况下,不能读写对方的资源。如浏览器允许包含在页面A的脚本访问第二个页面B的数据资源(资源包括cookie,http消息头,dom树等),这一切是建立在A和B页面是同源的基础上。不同域的客户端脚本在没有明确授权的情况下,不能读写对方的资源。
如
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>菜鸟教程(runoob.com)</title>
</head>
<body>
<div>
<a href="http://www.runoob.com"> 链接</a>
</div>
--<iframe src="http://www.runoob.com" name="selfframe">
<p>您的浏览器不支持 iframe 标签。</p>
</iframe>
</body>
</html>
上述代码跨域加载资源是允许的,但其中的JavaScript不允许访问跨域资源。如360浏览器中做如下js命令操作(contentDocument 属性以 HTML 对象返回框架容纳的文档)
同源策略会带来一系列跨域访问的问题,如一些合理的用途也受到影响。例如,我同一个站点的两个不同域名不能共享Cookie;再例如,我的前端页面项目的域名与我后端Jetty服务的域名不同,那么我就无法发送Ajax请求来访问Jetty服务,等等。
网友评论