{"id":19545170,"url":"https://github.com/scscms/jsonp_sandbox","last_synced_at":"2026-06-11T04:31:16.041Z","repository":{"id":93555032,"uuid":"76013450","full_name":"scscms/JSONP_sandBox","owner":"scscms","description":"JSONP是一个广为使用的跨域获取数据的解决方案，但其安全需要沙箱保护。","archived":false,"fork":false,"pushed_at":"2016-12-09T07:47:30.000Z","size":7,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-08T19:23:57.917Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scscms.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-09T07:43:23.000Z","updated_at":"2016-12-09T07:47:31.000Z","dependencies_parsed_at":null,"dependency_job_id":"8fb075ad-8a16-43d0-9421-a100670c4adc","html_url":"https://github.com/scscms/JSONP_sandBox","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scscms%2FJSONP_sandBox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scscms%2FJSONP_sandBox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scscms%2FJSONP_sandBox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scscms%2FJSONP_sandBox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scscms","download_url":"https://codeload.github.com/scscms/JSONP_sandBox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240801040,"owners_count":19859727,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T03:35:55.905Z","updated_at":"2026-06-11T04:31:15.416Z","avatar_url":"https://github.com/scscms.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# jsonp-sandbox安全沙箱\u003csup\u003eshine\u003c/sup\u003e\n\n## 什么是jsonp-sandbox\n\n\u003e ajax中常常提到一个JSONP请求，其实JSONP与普通ajax还是有区别的。JSONP是一个广为使用的跨域获取数据的解决方案，它的原理是加载动态生产的 `script` 内容而实现跨域。由于实现机制，JSONP 很容产生安全问题，例如脚本被黑客或者运营商劫持等。\n\n## 前提\n\n|浏览器|H5 sandbox|srcdoc|execScript|\n|:-----|:-----:|:-----:|:-----:|\n|IE8以下|不支持|支持|\n|IE9|不支持|不支持|支持|\n|IE10|支持|不支持|支持|\n|IE11|支持|不支持|不支持|\n|chrome|支持|支持|不支持|\n|firefox|支持|支持|不支持|\n\n## 处理\n\n所有请求先在本页面创建一个iframe隔离请求，重点防范top,parent访问。\n\n处理分三种情况：\n- 1.IE9及以下\n    借助`execScript`使用同名函数覆盖top,parent对象。\n    ie9因不能覆盖Document及HTMLDocument，所以使用破坏原型上的getter,setter属性。\n- 2.IE10及以上\n    虽然支持sandbox但并不友好。同样使用同名函数方法覆盖alert、confirm等。\n- 3.chrome、firefox等现代浏览器\n    使用H5 sandbox沙箱完美隔离。\n\nIE9及以下使用预留的`parent`通信，其他通过`postMessage`通信。\n\n## 使用\n\n直接引入：\n\n``` html\n\u003cscript src=\"./jsonp-sandbox.js\"\u003e\u003c/script\u003e\n```\n**JSONP.get(url,options)**\n\n**url** 必填\n\n**options** 可选\n* `url` 如果填写将覆盖第一个参数\n* `key` JSONP 指定 KEY，默认是 `callback`\n* `callback` JSONP 指定回调函数名\n    1.随机自动生成\n    2.如果指定值，将覆盖前面的值\n    3.以key的值在url中截取，如果存在将覆盖前面的值\n* `success` 成功回调函数\n* `error` 失败回调函数\n* `data` URL 附加的请求数据\n* `cache` 是否要禁止缓存，为真是将在请求里添加一个随机数\n* `timeout` 超时(毫秒)必须不能小于100\n\n## API\n\n**JSONP.get(url, success, error)**\n\n``` javascript\nJSONP.get('http://api.com/user', function (data) {\n    console.log(data);\n});\n```\n\n\n\n例如：\n\n``` javascript\nJSONP.get('http://api.com/users/35', {\n    value: 'jsonp_001',\n    key: 'callback'\n})\n```\n\n最终请求出去的 URL 类似：\n\n```\nhttp://api.com/users/35?callback=jsonp_001\n```\n\n## 演示\n\n```javascript\ndocument.cookie = 'hello world';\n\nJSONP.get({\n    url: 'https://rawgit.com/aui/jsonp-sandbox/master/test/xss.js',\n    value: 'jsonp_callback',\n    success: function (data) {\n        console.log(data);\n    },\n    error: function(errors) {\n        console.error(errors);\n    }\n});\n```\n## 环境测试\n\nIE5+、Edge、Chrome、Firefox、Safari\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscscms%2Fjsonp_sandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscscms%2Fjsonp_sandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscscms%2Fjsonp_sandbox/lists"}