javascript - 跨域请求 : Javascript vs Flash

Question

您可能知道，浏览器的安全模型不允许将脚本从 http://www.example.com 加载到页面中进行跨域请求(除了 www.example.com 之外，没有对任何其他域的 AJAX 调用)。 Javascript 文件本身可以从完全不同的域 (www.javascript.com/myscript.js) 提供，这无关紧要。这就是同源策略。

Flash也有类似的东西？但是 Flash 是将原点视为 加载 .swf 文件的 HTML 页面，还是将原点视为提供 .swf 文件的域？

所以 http://www.example.com从 http://www.swf.com/myflash.swf 加载一个 .swf 文件.现在 .swf 只能从 www.example.com 加载资源还是只能从 www.swf.com 加载资源？我假设 example.com 或 swf.com 上没有设置 cross-domain.xml 文件。

Answer 1

我认为，这篇文章解释了很多关于你提到的问题:http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html

从那里:

For website owners, all user-supplied content should be served from a completely separate domain. This is already implemented by Yahoo mail, Hotmail, Wikipedia, and many other major websites, but a huge variety of self-contained web applications do not do so (and if I can, for example, upload a malicious file to "apiwiki.twiitter.com", I can perform cross-subdomain cookie attacks). A partial solution was made possible by Flash 10,0,0,2: SWF files served with a "content-Disposition: attachment" header will not execute when embedded in a web page. If all user-generated content is served with this header (not a bad idea in any case), it may limit your exposure, but this is not a very robust solution.

听起来好像如果您从不同的域提供内容并且没有跨域策略文件，那么 flash 就无法从您的主服务器访问文件。

还有这篇文章:http://supergeekery.com/index.php/geekblog/2009/12指出

And everything I write should be able to trust each other and share with each other. You may wonder if Flash Ads are a problem. Do they have this problem? No, there are Flash ads all over the internet, but since they are almost never hosted on the same server as the domain you’re visiting, they don’t get to access the data the web site’s primary code’s data. Cool.