浣嗗緢鏄庢樉錛屽湪涓嶅皯鎯呭艦涓嬶紝璁塊棶鍒殑緗戠珯錛岃幏鍙栧埆鐨勭綉绔欑殑淇℃伅/鏈嶅姟鏄潪甯告湁鐢ㄧ殑錛岀壒鍒槸鍦ㄨ繖涓猈eb 2.0鏃朵唬銆?
甯哥敤鐨勮法绔欒闂殑鏂規(guī)硶鏈?縐?鍙傝冭繛鎺?錛?)錛?
- 鍦ㄥ悓涓鍩熺殑鏈嶅姟鍣ㄧ寤虹珛涓涓唬鐞嗭紝嫻忚鍣ㄥ悜璇ヤ唬鐞嗙綉鍧鍙戦佽姹傦紝鐒跺悗璇ヤ唬鐞嗗悜鍏朵粬鍩熺殑緗戝潃鍙戣姹傦紝鍦ㄨ幏鍙栧洖澶嶅悗錛屾垨浣滃鐞嗘垨鎸夊師鏍峰彂鍥炲埌嫻忚鍣?
- 浣跨敤鎸夐渶(On-Demand) Javascript 鑴氭湰銆傚湪欏甸潰鍐呭姩鎬佺敓鎴愭柊鐨?lt;script>錛屽皢鍏秙rc灞炴ф寚鍚戝埆鐨勭綉绔欑殑緗戝潃錛岃繖涓綉鍧榪斿洖鐨勫唴瀹瑰繀欏繪槸鍚堟硶鐨凧avascript鑴氭湰錛屽父鐢ㄧ殑鏄疛SON娑堟伅銆?
- 浣跨敤IFRAME銆傚湪欏甸潰鍐呭祵鎴栧姩鎬佺敓鎴愭寚鍚戝埆鐨勭綉绔欑殑IFRAME錛岀劧鍚庤繖2涓綉欏甸棿鍙互閫氳繃鏀瑰彉瀵規(guī)柟鐨刟nchor hash fragment鏉ヤ紶杈撴秷鎭傛敼鍙樹竴涓綉欏電殑anchor hash fragment騫朵笉浼?xì)鋴蓩箯瑙堝櫒閲嶆柊瑁呰浇缃憴宓锛屾墍浠ヤ竴涓綉欏電殑鐘舵佸緱浠ヤ繚鎸侊紝鑰岀綉欏墊湰韜垯鍙互閫氳繃涓涓鏃跺櫒(timer)鏉ュ療瑙夎嚜宸盿nchor hash鐨勫彉鍖栵紝浠庤岀浉搴旀敼鍙樿嚜宸辯殑鐘舵?鍙傝?a >榪欎釜甯栧瓙涓彁鍙?qiáng)鐨?a target="_blank">Nikhil Kothari鐨勫巻鍙叉帶浠?/a>涓殑鏂規(guī)硶)銆?Julien Couvreur鍦ㄤ粬鐨勩?a target="_blank">Cross-document messaging hack銆嬮噷鎻忚堪浜?jiǎn)涓涓洿澶嶆潅鐨勫簲鐢ㄦ儏褰紝
"....
For example, if you have page A containing an iframe B in a different domain,then B can create a new iframe and load it with a url in the same domain as A. The url that is loaded doesn't generate a request to the server if it is properly cached and only the fragment identifier is used to pass changing information. Page A can now get the DOM handle on the new iframe and successfully retrieve the information transmitted in the url by B...." (澶т綋榪欐牱錛岀綉欏礎(chǔ)鍖呭惈浜?jiǎn)涓涓狪FRAME B錛孊鐨勭綉欏墊潵鑷竴涓笉鍚岀殑鍩熴傜劧鍚嶣欏靛彲浠ョ敓鎴愪竴涓狪FRAME C錛屾妸瀹冩寚鍚戜笌緗戦〉A(chǔ)鍚屽煙鐨勬煇涓湴鍧錛屽洜涓烘槸A涓嶤鍚屽煙錛岀綉欏礎(chǔ)鍙互璁塊棶C閲岀殑淇℃伅錛屽弽涔嬩害鐒躲?
ASP.NET AJAX鎵╁睍(鍗矨tlas)鎻愪緵浜?jiǎn)涓涓ˉ(bridge)鏈哄埗璁╀綘鍦ㄦ湇鍔″櫒绔厤緗潵璁塊棶鍒殑緗戠珯錛屽茍鍚屾椂鏀寔POX鍜孲OAP榪?縐嶅崗璁傛兂浜?jiǎn)瑙e叾涓l嗚妭錛岃鍙傝傾tlas鏂囨。閲岀殑銆夿uilding Mash-ups with "Atlas"銆?/a>銆傚綋鐒朵綘瀹屽叏鍙互鑷繁寤虹珛涓涓獁eb service錛岄氳繃瀹冩潵璁塊棶鍏朵粬緗戠珯騫惰繑鍥炰俊鎭?
鎹錛孉tlas涓殑 IFrameExecutor 鍙互瀹炵幇璺ㄥ煙鐨勮皟鐢紝鎴戞寜鐓SDN鍗氬Federal Developer Weblog鐨勮繖綃囧笘瀛?a target="_blank">銆奀alling web services hosted outside of your application with 鈥淎tlas鈥濄?/a>涓婄殑姝ラ璇曚簡(jiǎn)涓涓嬶紝浣嗗湪Windows 2003 Server SP1涓婂緱鍒板嵈鏄淎ccess is denied鈥濈殑閿欒淇℃伅銆傜劧鍚庢垜涓嬭澆浜?a >璇ユ枃涓殑欏圭洰錛岃瘯楠岀殑緇撴灉浠嶆棫鏄淎ccess is denied鈥濄備篃璁?dāng)R渶瑕佹敼鍔ㄤ竴浜涙祻瑙堝櫒涓殑浠涔堣緗墠鑳芥垚鍔燂紝浣嗚繖涓嶆槸鎴戠殑鐩殑錛屾垜闇瑕佷竴涓湪鏅氳緗笅閮借兘鎴愬姛鐨勪緥瀛愩?
鎸夐渶(On-Demand) Javascript鑴氭湰鐨勫疄鐜版槸寰堢畝鍗曠殑錛岃濡傛垜鏈夎繖鏍蜂竴涓綉欏碉紝(鎯蟲祴璇曠殑璇濓紝闇瑕佹敼鍔ㄥ叾涓殑緗戝潃)
<html>
<head>
<script language="javascript" type="text/javascript">
function loadContent()
{
var s=document.createElement('SCRIPT');
s.src='
document.body.appendChild(s);
}
function setDivContent(v)
{
var dv = document.getElementById("dv");
dv.innerHTML = v;
}
</script>
</head>
<body>
<div id="dv"></div>
<input type="button" value="Click Me" onclick="loadContent()">
</body>
</html>
鍏朵腑鐨剋ww.anotherdomain.com/TestCrossJS.aspx鏄繖鏍風(fēng)殑錛?
<script language="C#" runat="server">
void Page_Load(object sender, EventArgs e)
{
聽 string f = Request.QueryString["f"];
聽 Response.Clear();
聽 Response.ContentType = "application/x-javascript";
聽 Response.Write(String.Format(@"
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 {0}('{1}');",聽
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽f,
聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽聽 DateTime.Now));
聽 Response.End();
}
</script>
鐐瑰嚮鈥淐lick Me鈥濇寜閽紝鐢熸垚涓涓柊鐨剆cript tag錛屼笅杞藉搴旂殑 Javascript 鑴氭湰錛岀粨鏉熸椂鍥炶皟鍏朵腑鐨剆etDivContent()錛屼粠鑰屾洿鏂扮綉欏典笂涓涓猟iv鐨勫唴瀹廣?
IFRAME鐨勬柟娉曞ソ鍍忓緢嫻佽錛岄櫎浜?a target="_blank">dojo宸ュ叿鍖呮敮鎸?/a>澶栵紝鎹井杞殑Dare Obasanjo璇?鍙傝冭繛鎺?)錛?a target="_blank">Windows Live Contacts Gadget浣跨敤浜?jiǎn)杩欎釜鏂规硶鏉ヨ幏鍙朒otmail鐨刟ddress book銆傛渶榪戯紝Plaxo鍏徃鐨勫紑鍙戜漢鍛?Joseph Smarr鍦ㄤ竷鏈堢殑OSCON 2006浼?xì)璁笂浣滀簡(jiǎn)涓涓涓?a target="_blank">銆奀ross-site Ajax: Challenges and Techniques for Building Rich Web 2.0 Mashups銆?/a>鐨勮搴鏉ユ簮錛?a target="_blank">Kevin Yank--OSCON 2006: Cross-site Ajax]錛?a target="_blank">浠栦滑灝嗚繖涓柟娉曞仛鎴愪簡(jiǎn)涓涓鉤鍙?/a>錛屽厑璁稿悎浣滀紮浼撮棿鍚堜綔錛屼粬浠紑鍙戠殑鏂規(guī)鍙淭he JavaScript Wormhole(铏礊)鈥濓紝鎹鍑嗗灝嗗叾鎺ㄥ箍涓轟竴涓爣鍑嗐備粬璁插駭鐨凱PT鍙互鍦?a target="_blank">榪欓噷涓嬭澆錛岄噷闈㈠榪欎釜鏂規(guī)鍋氫簡(jiǎn)璇存槑錛岄潪甯稿煎緱鐪嬩竴涓嬨?
鐜板湪灝咺FRAME鐨勬柟娉曠畝鍗曠ず鑼冨涓?
1. http://domain1/TestCross.html:
<html>
<head>
<script language="javascript" type="text/javascript">
var url = "http://domain2/TestCross.html"
var oldHash = null;
var timer = null;
function getHash()
{
var hash = window.location.hash;
if ((hash.length >= 1) && (hash.charAt(0) == '#'))
{
hash = hash.substring(1);
}
return hash;
}
function sendRequest()
{
var d = document;
var t = d.getElementById('request');
var f = d.getElementById('alienFrame');
f.src = url + "#" + t.value + "<br/>" + new Date();
}
function setDivHtml(v)
{
var d = document;
var dv = d.getElementById('response');
dv.innerHTML = v;
}
function idle()
{
var newHash = getHash();
if (newHash != oldHash)
{
setDivHtml(newHash);
oldHash = newHash;
}
timer = window.setTimeout(idle, 100);
}
function window.onload()
{
timer = window.setTimeout(idle, 100);
}
</script>
</head>
<body>
璇鋒眰錛?lt;input type="text" id="request"> <input type="button" value="鍙戦? onclick="sendRequest()" /><br/>
鍥炲錛?lt;div id="response"></div>
<iframe id="alienFrame" src="http://domain2/TestCross.html"></iframe>
</body>
</html>
2. http://domain2/TestCross.html:
<html>
<head>
<script language="javascript" type="text/javascript">
var url = "http://domain1/TestCross.html"
var oldHash = null;
var timer = null;
function getHash()
{
var hash = window.location.hash;
if ((hash.length >= 1) && (hash.charAt(0) == '#'))
{
hash = hash.substring(1);
}
return hash;
}
function sendRequest()
{
var d = document;
var t = d.getElementById('request');
var f = parent;
//alert(f.document); //璇曠潃鍘繪帀榪欎釜娉ㄩ噴錛屼綘浼?xì)寰楀埌鈥淎ccess is denied鈥?br />f.location.href = url + "#" + t.value + "<br/>" + new Date();
}
function setDivHtml(v)
{
var d = document;
var dv = d.getElementById('response');
dv.innerHTML = v;
}
function idle()
{
var newHash = getHash();
if (newHash != oldHash)
{
setDivHtml(newHash);
oldHash = newHash;
}
timer = window.setTimeout(idle, 100);
}
function window.onload()
{
timer = window.setTimeout(idle, 100);
}
</script>
</head>
<body>
璇鋒眰錛?lt;input type="text" id="request"> <input type="button" value="鍙戦? onclick="sendRequest()" /><br/>
鍥炲錛?lt;div id="response"></div>
</body>
</html>
涓や釜緗戦〉鍩烘湰鐩稿悓錛岀涓涓綉欏靛唴宓屼竴涓狪FRAME錛屽湪鐐瑰嚮鈥滃彂閫佲濇寜閽悗錛屼細(xì)灝嗘枃鏈閲岀殑鍐呭閫氳繃hash fragment浼犵粰IFRAME銆傜偣鍑籌FRAME閲岀殑鈥滃彂閫佲濇寜閽悗錛屽畠浼?xì)灏嗘枃鏈閲岀殑鍐呭畾w氳繃hash fragment浼犵粰鐖剁獥鍙c傚洜涓烘槸鍙敼鍔ㄤ簡(jiǎn)hash fragment錛屾祻瑙堝櫒涓嶄細(xì)閲嶆柊l(fā)oad緗戦〉鍐呭錛岃繖閲屼嬌鐢ㄤ簡(jiǎn)涓涓鏃跺櫒鏉ユ嫻婾RL鍙樺寲錛屽鏋滃彉鍖栦簡(jiǎn)錛屽氨鏇存柊鍏朵腑涓涓猟iv鐨勫唴瀹?銆?
榪欎釜鏂規(guī)硶鏄笉鏄釜瀹夊叏婕忔礊錛熻冭檻鍒板井杞殑Windows Live閮藉湪浣跨敤榪欎釜鏂規(guī)硶錛屼及璁′笉鏄紝
銆傝繖涓柟娉曟槸涓嶆槸寰堝畨鍏紵鑰冭檻鍒拌繖涓柟娉曞彧鏈夊湪2涓綉绔欏崗浣滅殑鎯呭艦鎵嶈兘鎴愬姛錛屽畨鍏ㄩ棶棰樺ソ鍍忎笉鏄緢澶э紝闄ら潪鍏朵腑娑夊強(qiáng)鐨勭綉绔欐湰韜湁XSS鐨勯棶棰樸?/p>
銆愬弬鑰冭繛鎺ャ?
1. Security Considerations: Dynamic HTML
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/sec_dhtml.asp
2. About Cross-Frame Scripting and Security
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/om/xframe_scripting_security.asp
3. Cross-Domain Proxy
http://ajaxpatterns.org/Cross-Domain_Proxy
4. Cross Domain XMLHttpRequest using an IFrame Proxy
http://manual.dojotoolkit.org/WikiHome/DojoDotBook/Book75
5. Back Button Support for Atlas UpdatePanels
http://www.nikhilk.net/BackButtonSupport.aspx
6. Cross-document messaging hack
http://blog.monstuff.com/archives/000304.html
7. Building Mash-ups with "Atlas"
http://atlas.asp.net/docs/Walkthroughs/DevScenarios/bridge.aspx
8. Calling web services hosted outside of your application with 鈥淎tlas鈥?br />http://blogs.msdn.com/federaldev/archive/2006/07/31/684229.aspx
9. AJAX Tip: Passing Messages Between iframes
http://www.25hoursaday.com/weblog/PermaLink.aspx?guid=3b03cf9d-b589-4838-806e-64efcc0a1a15
10. OSCON Cross-site Ajax Slides
http://blog.plaxo.com/archives/2006/07/oscon_crosssite.html
http://www.plaxo.com/css/api/Joseph-Smarr-Plaxo-OSCON-2006.ppt
11. OSCON 2006: Cross-site Ajax
http://www.sitepoint.com/blogs/2006/07/28/oscon-2006-cross-site-ajax/
]]>