嵌入式脚本的起源是什么?

What's the origin of an embedded script?

假设我将 B 站点的一段 JavaScript 嵌入到 A 站点的页面中。 B 脚本的来源是否更改为 A?

加 1

随便引用一些官方文档:

来自 RFC 6454 - The Web Origin Concept.

3.1 TRUST

The same-origin policy specifies trust by URI. For example, HTML documents designate which script to run with a URI:

<script> src="https://example.com/library.js"></script>

When a user agent processes this element, the user agent will fetch the script at the designated URI and execute the script with the privileges of the document. In this way, the document grants all the privileges it has to the resource designated by the URI. In essence, the document declares that it trusts the integrity of information retrieved from that URI.

另一个例子也来自RFC 6454 - The Web Origin Concept

Consider, for example, cross-site scripting in HTML documents. If an attacker can inject script content into an HTML document, those scripts will run with the authority of the document’s origin, perhaps allowing the script access to sensitive information, such as the user’s medical records.

脚本 运行 使用它们嵌入的框架的原点,而不是它们加载的原点。如果您从其他站点加载脚本,例如

<script src="http://example.com/example.js"></script>

该脚本的行为与从您自己的站点加载它或将其内联嵌入时的行为完全相同。它没有相对于加载它的站点的特殊权限。