问题
Is there anyway to limit Javascript Get, Post request to a specified domain? Also can I somehow disable JSONP?
I want to develop a web content framework where people can include javascripts in different pages but I don't want those scripts to access any other domain.
I am familiar with firefox "Content Security Policy" but unfortunately that is only applicable to firefox.
回答1:
It's "disabled" by default. If you want to "allow" json, you would have to add jsonp callback. Without it, js isn't able to retreive json response.
回答2:
Instead of letting the users pick arbitrary javascripts, can you let them pick from a list of approved scripts, and rejects the edits if the scripts are not included from the right domain? Or can you use some sort of a custom markup, where instead of being allowed to write -tags, they write [include="pluginname"], and you convert that to a script tag yourself, it the plugin with the given name is found?
Content Security Policy is also has limited support in Chrome, but currently it's not really what you want, as its support and penetration in the market is limited.
来源:https://stackoverflow.com/questions/7130986/prevent-javascript-get-and-script