Search

7/25/2008

window.name

quipt

Extremely clever idea: Cache JavaScript in window.name (which persists between page views and can hold several MB of data), but use document.referrer to check that an external domain hasn’t loaded the cache with malicious code for an XSS attack. UPDATE: Jesse Ruderman points out a fatal flaw in the comments.


Ajaxian »
window.name meet dojox.io.windowName

window.name Transport
The window.name transport is a new technique for secure cross-domain browser based data transfer, and can be utilized for creating secure mashups with untrusted sources. window.name is implemented in Dojo in the new dojox.io.windowName module, and it is very easy to make web services available through the window.name protocol. window.name works by loading a cross-domain HTML file in an iframe. The HTML file then sets its window.name to the string content that should be delivered to the requester. The requester can then retrieve the window.name value as the response. The requested resource never has access to the requester’s environment (JavaScript variables, cookies, and DOM).

使用 window.name 解决跨域问题 _ PlanABC - 怿飞’s Blog
window.name测试
remote data頁要set window.name = 'data';

<p id="content">
hi, <strong>kejun</strong>!
</p>
</body>
<script type="text/javascript">
window.name = document.getElementById("content").innerHTML;
</script>

然後 local 頁用 iframe 把 remote 頁 include 進來後,讀取iframe.contentWindow.name即可

沒有留言: