问题
I know, there's JSONP, which involves server cooperation to name-space the data.
What is bothering me is the fact that the content of script tag src is evaluated, but it's NOT available to read.
<script src="http://www.google.com"></script>
All we need to figure out is how to namespace the data, that's all. Of course I tried pretty idiotic things with no relevant result (I know this doesn't work, but you can see what I'm trying to achieve):
<script>eval('var namespace="');</script>
<script src="http://www.google.com"></script>
<script>eval('";');</script>
Since there's really no relevant info on how the src content is evaluated, I know it's global scope, but if we could trace evaluation steps or maybe chain evals scope somehow (not much documentation about this as well), we could solve this annoying "evaluated but not readable" thing.
Any ideas?
回答1:
HTML5 provides window.postMessage which provides a mechanism for safe cross domain messaging, and is supported by Firefox 3, Opera 9.6, and WebKit nightlies.
That said your suggestion above cannot work because it requires fundamentally different behaviour from javascript's eval. eval parses and executes the given string in the current context -- what you're requesting is that eval change the actual code of the containing function. eg.
for (var i = 0; i < 10; i++) eval("; doSomething();");
would become
for (var i = 0; i < 10; i++) ; doSomething();;
meaning the for-loop becomes empty, and doSomething would only be called once. Clearly this would result in incredibly difficult to comprehend semantics, as well as making it substantially less safe to use, as eval would gain the ability to directly influence control flow.
回答2:
I'm not sure this is at all possible due to browser security policies.
回答3:
I'm inclined to say leave it. These kind of issues will be solved, but not by hacking around what we already have. The web is fundamentally broken in that regard. The fact that any script from one domain can be executed on another is a severe security vulnerability that will hamper the growth of the web if left unchecked.
http://www.slideshare.net/webdirections/douglas-crockford-ajax-security-presentation
来源:https://stackoverflow.com/questions/551363/lets-solve-cross-domain-ajax-totally-on-the-client-using-script-tags