document.domain 相同但仍然出现同源错误
document.domain is the same yet still getting same-origin errors
我有一些 javascript 看起来像这样:
// https://secure.example.com
document.domain = "example.com";
window.myVar = "value";
// http://example.com
document.domain = "example.com";
var iframe = document.body.appendChild(document.createElement("iframe"));
iframe.onload = function () {
console.log(iframe.contentWindow.myVar);
}
iframe.src = "https://secure.example.com";
我正在尝试通过将 https://secure.example.com 加载到 http://example.com 中的 iframe 来访问 myVar。注意 http 和 https 的用法。当两个域都使用 http 或 https 时,这是有效的,但现在我想要一个使用 http,另一个使用 https。我已逐步检查代码以验证 document.domain 设置是否正确。为什么会这样?
基于 MDN 的页面 How to fix a website with blocked mixed content:
The best strategy to avoid mixed content blocking is to serve all the
content as HTTPS instead of HTTP.
For your own domain, serve all content as HTTPS and fix your links.
Often, the HTTPS version of the content already exists and this just
requires adding an "s" to links - http:// to https://.
For other domains, use the site's HTTPS version if available. If HTTPS
is not available, you can try contacting the domain and asking them if
they can make the content available via HTTPS.
您的问题不是域或主机。你的问题是协议
您不能设置 document.domain 跨协议
http 和 https 由于协议原因不是同一来源,就像 example.com:80 由于端口原因与 example.com:8080 不是同一来源一样.
出于非常好的安全原因,不允许混合使用 http 和 https
请阅读https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
我有一些 javascript 看起来像这样:
// https://secure.example.com
document.domain = "example.com";
window.myVar = "value";
// http://example.com
document.domain = "example.com";
var iframe = document.body.appendChild(document.createElement("iframe"));
iframe.onload = function () {
console.log(iframe.contentWindow.myVar);
}
iframe.src = "https://secure.example.com";
我正在尝试通过将 https://secure.example.com 加载到 http://example.com 中的 iframe 来访问 myVar。注意 http 和 https 的用法。当两个域都使用 http 或 https 时,这是有效的,但现在我想要一个使用 http,另一个使用 https。我已逐步检查代码以验证 document.domain 设置是否正确。为什么会这样?
基于 MDN 的页面 How to fix a website with blocked mixed content:
The best strategy to avoid mixed content blocking is to serve all the content as HTTPS instead of HTTP.
For your own domain, serve all content as HTTPS and fix your links. Often, the HTTPS version of the content already exists and this just requires adding an "s" to links - http:// to https://.
For other domains, use the site's HTTPS version if available. If HTTPS is not available, you can try contacting the domain and asking them if they can make the content available via HTTPS.
您的问题不是域或主机。你的问题是协议
您不能设置 document.domain 跨协议
http 和 https 由于协议原因不是同一来源,就像 example.com:80 由于端口原因与 example.com:8080 不是同一来源一样.
出于非常好的安全原因,不允许混合使用 http 和 https
请阅读https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy