问题
I've been trying to access different domains from my JavaScript ( to pull the page title ) but can not b.c. of the same-origin policy.
What I realized is that JavaScript "installed" into the browser via bookmarklets is not restrained by this policy.
This got me to wondering how security is kept...for example delicious bookmarklets...I can just modify them and start ajaxing delicous.com...I don't plan on doing this but likewise someone could do this to a bookmarklet that I create.
How do you create security here?
Do some sites allow public access via ajax?
回答1:
As far as the server is concerned, there is no such thing as AJAX. AJAX requests are just HTTP requests like any other.
The restriction of cross domain AJAX is done by the browser for the sake of avoiding cross site scripting attacks (you wouldn't want a third party ad to have access to your Stack Overflow session data and be able to ship that somewhere else, would you?).
The browser (apparently) does not limit "bookmarklets" in the same way. If you decided to put a bit of script into a bookmark, I guess the browser is perfectly happy to execute it.
来源:https://stackoverflow.com/questions/10768768/how-are-bookmarklets-javascript-in-a-link-verfied-by-servers-how-is-security