发表新帖
发表新帖

Cross Domain Limitations With Ajax - JSON

前端 未结
关注
4 796
无人共我
无人共我 2020-12-06 09:06

When requesting (ht|x)ml with ajax you can only send requests to the same domain. But if you request JSON you can send it to any domain. Why?

I\'m told it\'s for sec

4条回答
  • 借酒劲吻你
    借酒劲吻你 (楼主)
    2020-12-06 09:20

    Injecting JSON directly in your page is not secure at all.

    You offer to the loaded scripts full access to the resources in your page(data, cookies, logic).

    If the injected code is malicious, it can run actions on your server, post back data to their server(POST is allowed cross domain, not the response but your data are sent anyway), etc...

    We're building a web app that makes a heavy use of cross domain accesses.
    To solve this problem, we came with a rather simple JSONP sandboxing solution.

    0 讨论(0)
 看不清?
提交回复
热议问题