1. 首頁
  2. 問答
  3. 從iframe中的腳本隱藏對象的某些屬性

從iframe中的腳本隱藏對象的某些屬性

2012-03-12 114 views
2

我有一個包含iframe(相同來源)的窗口,因此來自此iframe的腳本可以通過簡單引用top.foo來訪問頂層窗口的屬性。我想授予對這些屬性的訪問權限,並通過黑名單隱藏其他屬性。從iframe中的腳本隱藏對象的某些屬性

這是我到目前爲止有:

(function(){ 
    var private = PrivateObject; 
    Object.defineProperty(window, 'PrivateObject', { 
     get: function getter() { 
      if (!(getter.caller instanceof Function)) { 
       throw 'You can\'t access PrivateObject from the iframe'; 
      } 
      return private; 
     }, 
     set: function setter(x) { 
      if (!(setter.caller instanceof Function)) { 
       throw 'You can\'t access PrivateObject from the iframe'; 
      } 
      private = x; 
     }, 
    }); 
})();

這背後的基本理念是,f.caller instanceof Function應檢測外來窗口對象的調用,因爲window1.Function !== window2.Function

但是這does not work如果訪問器是從頂級代碼調用,其中f.caller === null。任何解決方案

來源

2012-03-12 user123444555621

+0

對不起,如果是天真的,但如果.caller爲null不會從頂級代碼工作?異常不會被拋出? – dave 2012-03-12 19:31:10

+0

問題是,用這種方法你會得到誤報和誤報。所以我正在尋找一種解決方案,允許從父級的頂級代碼訪問,同時阻止訪問iframe的頂級代碼。 – user123444555621 2012-03-12 20:50:03

回答

0

現在,我已經決定去與下面的辦法,因爲我不認爲這是可以檢測的頂級呼叫:如果有人想出了一個更好的解決方案

/** 
* Hide objects from access from other window objects. For example, this may be used to prevent access to 
* top.Ext from scipts inside iframes. 
* <strong>Warning:</strong> This does not work reliably, since calls from top-level code cannot be detected. 
* You may either <strong>allow all</strong> top-level access (from top and other windows), or <strong>disallow all</strong> top-level access. 
* Also remember that objects may have indirect references. 
* @param {Object} object The object whose properties shall be hidden 
* @param {Array|String} properties A comma-separated list or an array of property names 
* @param {Boolean} allowTopLevel <tt>true</tt> to allow access from top-level code. Defaults to <tt>false</tt> 
*/ 
hideObjectsFromFrames = function (object, properties, allowTopLevel) { 
    if (typeof properties == 'string') { 
     properties = properties.split(/ *, */); 
    } 
    Ext.each(properties, function (property) { 
     var orig = object[property]; 
     if (allowTopLevel) { // checking outside the accessors improves performance 
      Object.defineProperty(object, property, { 
       get: function g() { 
        if (g.caller && !(g.caller instanceof Function)) { 
         throw 'Security error. Attempt to access ' + property + ' from foreign window'; 
        } 
        return orig; 
       }, 
       set: function s(x) { 
        if (s.caller && !(s.caller instanceof Function)) { 
         throw 'Security error. Attempt to overwrite ' + property + ' from foreign window'; 
        } 
        orig = x; 
       } 
      }); 
     } else { 
      Object.defineProperty(object, property, { 
       get: function g() { 
        if (!(g.caller instanceof Function)) { 
         throw 'Security error. Attempt to access ' + property + ' from foreign window'; 
        } 
        return orig; 
       }, 
       set: function s(x) { 
        if (!(s.caller instanceof Function)) { 
         throw 'Security error. Attempt to overwrite ' + property + ' from foreign window'; 
        } 
        orig = x; 
       } 
      }); 
     } 
    }); 
};

,請讓我知道!

來源

2012-03-14 09:30:04 user123444555621

+0

FWIW,Safari 5.0中存在一個阻止'allowTopLevel'正常工作的錯誤:https://bugs.webkit.org/show_bug.cgi?id = 45480 – user123444555621 2012-03-20 09:06:57

相關問題

 相關問題