TWI486039B

TWI486039B - Inter-domain communication methods, systems and devices

Info

Publication number: TWI486039B
Application number: TW098115852A
Authority: TW
Original assignee: Alibaba Group Holding Ltd
Priority date: 2009-05-13
Filing date: 2009-05-13
Publication date: 2015-05-21
Also published as: TW201041348A

Description

跨域通訊的方法、系統和裝置Method, system and device for cross-domain communication

本發明關於網路技術領域，尤其關於一種跨域通訊的方法、系統和裝置。The present invention relates to the field of network technologies, and more particularly to a method, system and apparatus for cross-domain communication.

由於瀏覽器用戶端為訪問者提供了基於域的安全隔離機制，來防止不同網站間的程式互相訪問對方的資料，以保護訪問者在一個網站的隱私資料不會被另一個網站所竊取。瀏覽器的這個安全機制在給訪問者提供安全保障的同時，也給網站開發帶來障礙。對於一個擁有多個功能變數名稱的大型網站平臺或者相互信任的不同網站來說，網站間的資料交換和相互服務是很正常的事情。Because the browser client provides a domain-based security isolation mechanism for visitors to prevent programs between different websites from accessing each other's data, to protect the privacy information of visitors on one website from being stolen by another website. This security mechanism of the browser provides security for the visitor and also hinders the development of the website. For a large website platform with multiple functional variable names or different websites that trust each other, it is normal for data exchange and mutual service between websites.

現有技術中跨域通訊的方法主要有：現有技術一利用瀏覽器的安全漏洞來通訊。不斷挖掘瀏覽器的安全漏洞，實現跨域訪問和交換資料。The methods of cross-domain communication in the prior art mainly include: the prior art uses a browser security vulnerability to communicate. Continuously exploit browser security vulnerabilities to achieve cross-domain access and exchange of data.

現有技術二設置瀏覽器允許跨域訪問。要求用戶降低瀏覽器安全標準，設置瀏覽器允許跨域訪問。The prior art second set browser allows cross domain access. Require users to lower browser security standards and set up browsers to allow cross-domain access.

現有技術三利用不同網站間的URL(Uniform Resource Locator，統一資源***)跳轉來通訊。一個域請求另一個域的網頁，並將要交換的資訊以URL參數等形式傳遞；對方回送資訊也是讓瀏覽器重定向回原來域的網頁，並將回送資訊以URL參數形式返回等。The prior art 3 uses a URL (Uniform Resource Locator) jump between different websites to communicate. A domain requests a webpage of another domain, and the information to be exchanged is transmitted in the form of a URL parameter; the other party sends back the information to redirect the browser back to the original domain, and returns the returned information as a URL parameter.

現有技術四利用跨域的腳本引用。一個域的網頁用<script>標籤引用另一個域的js(javascript腳本)檔內容，並將發送資料以URL的參數形式傳遞過去。另一個域的這個js檔可以編寫任意腳本來將資料直接送到當前網頁中。Prior art 4 utilizes cross-domain scripting references. A domain's web page uses the <script> tag to reference the js (javascript script) file content of another domain, and passes the sent data as a URL parameter. This js file of another domain can write arbitrary scripts to send the data directly to the current web page.

在實現本發明的過程中，發明人發現現有技術至少存在以下問題：利用瀏覽器的安全漏洞來通訊時，惡意網站也能利用安全漏洞實施攻擊，而且隨著瀏覽器的修補和升級，需要尋找新的漏洞。In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art: when using a browser security vulnerability to communicate, a malicious website can also exploit a security vulnerability to carry out an attack, and with the patching and upgrading of the browser, it is necessary to find New vulnerability.

設置瀏覽器允許跨域訪問時，要求訪問者降低瀏覽器安全級別同樣會讓惡意網站有機可乘。When setting up a browser to allow cross-domain access, requiring visitors to lower the browser security level will also allow malicious sites to take advantage of it.

利用不同網站間的URL跳轉來通訊時，每次資料通訊需要多次往返伺服器，伺服器壓力很大，效率低下，攻擊者可以從瀏覽器的位址欄上看到URL傳遞的資料資訊，有安全隱患，並且由於URL長度限制，無法傳遞大型資料When using the URL jump between different websites to communicate, each data communication requires multiple round trips to the server. The server is under great pressure and inefficient. The attacker can see the information transmitted by the URL from the address bar of the browser. There are security risks, and large data cannot be delivered due to URL length restrictions

利用跨域的腳本引用時，每次通訊需要請求伺服器生成新腳本，比較複雜，並且一方完全將自己的資料暴露給另一方的腳本，另一方可以竊取任何東西。When using cross-domain script references, each communication requires the requesting server to generate a new script, which is more complicated, and one party completely exposes its own data to the other party's script, and the other party can steal anything.

本發明提供了一種跨域通訊的方法、系統和裝置，用於在保證瀏覽的域安全隔離前提下，實現不同功能變數名稱間安全通訊。The invention provides a method, a system and a device for cross-domain communication, which are used for realizing secure communication between different functional variable names under the premise of ensuring security isolation of browsing domains.

本發明提供了一種跨域通訊的方法，應用於包括發送方和接收方的系統中，該發送方和接收方位於不同的域中，包括：該發送方向該接收方中用於接收資料的頁面發送請求；該發送方中用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；該發送方從該發送方中用於接收資料的頁面中獲取該回應。The present invention provides a method for cross-domain communication, which is applied to a system including a sender and a receiver, where the sender and the receiver are located in different domains, including: the sender sends a page for receiving data in the receiver Sending a request; a page for receiving data in the sender receives a response sent by a page of the receiver for transmitting data; the sender obtains the response from a page of the sender for receiving data.

本發明還提供了一種跨域通訊的方法，應用於包括發送方和接收方的系統中，該發送方和接收方位於不同的域中，包括：該接收方中用於接收資料的頁面接收該發送方發送的請求；該接收方處理該接收方發送的請求並得到回應；該接收方中用於發送資料的頁面，向該發送方接收資料的頁面發送該回應。The present invention also provides a method for cross-domain communication, which is applied to a system including a sender and a receiver, where the sender and the receiver are located in different domains, including: receiving, by the receiver, a page for receiving data The request sent by the sender; the receiver processes the request sent by the receiver and receives a response; the page for sending the data in the receiver sends the response to the page receiving the data from the sender.

本發明還提供一種跨域通訊的系統，包括：發送方和接收方，該發送方與該接收方位於不同的域中；該發送方，用於向該接收方中用於接收資料的頁面發送請求；並通過本地用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；從該本地用於接收資料的頁面中獲取該回應；該接收方，用於通過用於接收資料的頁面接收該發送方發送的請求，處理該接收方發送的請求並得到回應，並通過用於發送資料的頁面，向該發送方接收資料的頁面發送該回應。The invention also provides a system for cross-domain communication, comprising: a sender and a receiver, the sender and the receiver are located in different domains; the sender is configured to send a page for receiving data in the receiver Requesting; and receiving, by means of a local page for receiving data, a response sent by a page for transmitting data in the receiving party; obtaining the response from the local page for receiving data; the receiving party is used for The page receiving the data receives the request sent by the sender, processes the request sent by the receiver and receives a response, and sends the response to the page receiving the data by the sender through the page for sending the data.

本發明還提供一種跨域通訊的裝置，包括：請求發送單元、回應接收單元以及資料獲取單元；該請求發送單元，用於向該接收方中用於接收資料的頁面發送請求；該回應接收單元，用於通過接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；該資料獲取單元，用於從該發送方中用於接收資料的頁面中獲取該回應。The present invention also provides an apparatus for cross-domain communication, comprising: a request sending unit, a response receiving unit, and a data acquiring unit; the request sending unit is configured to send a request to a page for receiving data in the receiving party; the response receiving unit And receiving, by the page for receiving the data, a response sent by the page for sending the data in the receiving party; the data acquiring unit is configured to obtain the response from the page for receiving the data in the sending party.

本發明還提供一種跨域通訊的裝置，包括：請求接收單元、處理單元以及回應發送單元；該請求接收單元，用於接收資料的頁面接收該發送方發送的請求；該處理單元，用於處理該接收方發送的請求並得到回應；該回應發送單元，用於發送資料的頁面，向該發送方接收資料的頁面發送該回應。The present invention also provides an apparatus for cross-domain communication, comprising: a request receiving unit, a processing unit, and a response sending unit; the request receiving unit, the page for receiving the data receiving the request sent by the sender; the processing unit, configured to process The request sent by the receiver is received, and the response sending unit is configured to send a page of the data, and send the response to the page that the sender receives the data.

與現有技術相比，本發明具有以下優點：通過使用本發明完全遵循瀏覽器域安全隔離機制，並且不需要用戶降低安全級別、沒有URL頁面跳轉以及不會頻繁請求伺服器，並且保證通訊雙方有公平和對稱的安全保護，實現不同域之間安全通訊。Compared with the prior art, the present invention has the following advantages: by using the invention, the browser domain security isolation mechanism is completely followed, and the user does not need to lower the security level, there is no URL page jump, and the server is not frequently requested, and the communication parties are guaranteed to have Fair and symmetrical security protection for secure communication between different domains.

本發明實施例提供一種跨域通訊的方法、系統和裝置，用於在保證瀏覽的域安全隔離前提下，實現不同域之間安全通訊。The embodiment of the invention provides a method, a system and a device for cross-domain communication, which are used for realizing secure communication between different domains under the premise of ensuring security isolation of the browsing domain.

以下結合附圖和實施例，對本發明的實施方式作進一步說明。Embodiments of the present invention will be further described below in conjunction with the drawings and embodiments.

本發明實施例提供一種跨域通訊的方法，具體流程如圖1所示，包括：The embodiment of the invention provides a method for cross-domain communication. The specific process is as shown in FIG. 1 and includes:

S101、該發送方向該接收方中用於接收資料的頁面發送請求。S101. The sending direction is a page sending request for receiving data in the receiving party.

S102、該發送方中用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應。S102. The page for receiving data in the sender receives a response sent by a page for sending data in the receiver.

S103、該發送方從該發送方中用於接收資料的頁面中獲取該回應。S103. The sender obtains the response from a page of the sender for receiving data.

本發明實施例還提供一種跨域通訊的方法，具體流程如圖1-A所示，包括：The embodiment of the invention further provides a method for cross-domain communication. The specific process is shown in FIG. 1-A, and includes:

S101-A、該接收方中用於接收資料的頁面接收該發送方發送的請求。S101-A. The page for receiving data in the receiver receives the request sent by the sender.

S102-A、該接收方處理該接收方發送的請求並得到回應。S102-A. The receiver processes the request sent by the receiver and receives a response.

S103-A、該接收方中用於發送資料的頁面，向該發送方接收資料的頁面發送該回應。S103-A. The page for sending data in the receiver sends the response to the page where the sender receives the data.

通過使用本發明完全遵循瀏覽器域安全隔離機制，並且不需要用戶降低安全級別、沒有URL頁面跳轉以及不會頻繁請求伺服器，並且保證通訊雙方有公平和對稱的安全保護，實現不同域之間安全通訊。By using the present invention, the browser domain security isolation mechanism is completely followed, and the user does not need to lower the security level, does not have a URL page jump, and does not frequently request the server, and ensures that the communication parties have fair and symmetric security protection, achieving different domains. Secure communication.

本發明實施例一中提供一種跨域通訊的方法，如圖2所示為該方法的原理圖，各個部分的詳細原理如下：A method for cross-domain communication is provided in Embodiment 1 of the present invention. As shown in FIG. 2, the schematic diagram of the method is shown. The detailed principles of each part are as follows:

(1)在實現跨域傳遞前，通訊雙方伺服器首先部署兩個頁面檔，一個用於接收請求一個用於回送響應。在瀏覽器跨域通訊過程中，瀏覽器打開通訊雙方伺服器部署的頁面檔進行跨域通訊的資料傳遞。需要說明的是“部署"是指在遠端的伺服器上放置這些頁面檔，而“打開”是指本地瀏覽器向遠端伺服器部署的頁面檔發送訪問請求。(1) Before implementing cross-domain delivery, the communication server first deploys two page files, one for receiving a request for a loopback response. During the cross-domain communication process of the browser, the browser opens the page file deployed by the server of the communication side to perform data transmission of the cross-domain communication. It should be noted that "deployment" refers to placing these page files on the remote server, and "on" means that the local browser sends an access request to the page file deployed by the remote server.

(2)在實現跨域傳遞時，通訊發送方的一個原始頁向對方域的通訊接收方發送跨域傳遞請求命令和參數時，原始頁所在的瀏覽器會打開伺服器端的一個隱含頁面，利用該隱含頁面去打開對方域伺服器中部署的ASK頁面，並將通訊請求所需的命令和資料通過該請求URL片段識別字以及該頁面window物件的name屬性傳遞過去。其中原始頁是通訊發送方發起通訊時所在的頁面，並且該原始頁是處在通訊發送方的域內，例如isv.com。(2) When cross-domain delivery is enabled, when an original page of the communication sender sends a cross-domain delivery request command and parameters to the communication receiver of the other domain, the browser where the original page is located opens an implicit page of the server. The hidden page is used to open the ASK page deployed in the remote domain server, and the commands and materials required for the communication request are passed through the request URL fragment identification word and the name attribute of the window object of the page. The original page is the page where the communication sender initiates the communication, and the original page is in the domain of the sender of the communication, such as isv.com.

(3)通訊接收方通過接收請求頁面ASK接收請求命令和參數，並向伺服器提取結果資料。該過程的實現是由於ASK頁面處於通訊接收方的域中，例如alisoft.com，所以可以根據對方的請求命令取得該域內的相關資料。(3) The communication receiver receives the request command and parameters by receiving the request page ASK, and extracts the result data from the server. The process is implemented because the ASK page is in the domain of the communication recipient, such as alisoft.com, so the relevant data in the domain can be obtained according to the request of the other party.

(4)通訊接收方通過接收請求頁面ASK獲得結果資料後，該接收請求頁面ASK會直接打開通訊發送方伺服器部署的回送響應頁面ACK，或再打開一個隱含頁面並利用該隱含頁面去打開通訊發送方伺服器部署的回送回應頁面ACK，並將要回送的位置和資料通過URL的片段識別字以及頁面window物件的name屬性傳遞到上述的回送響應頁面ACK中。其中ACK頁面位於通訊發送方的域中，例如isv.com，所以在回送回應頁面ACK接收到結果資料後將該結果資料傳遞回通訊發送方的原始頁。(4) After receiving the result data by receiving the request page ASK, the receiving request page ASK will directly open the reply response page ACK deployed by the communication sender server, or open an implicit page and use the hidden page to The loopback response page ACK of the communication sender server deployment is opened, and the location and data to be returned are transmitted to the loopback response page ACK through the segment identifier of the URL and the name attribute of the page window object. The ACK page is located in the domain of the sender of the communication, for example, isv.com, so the result data is transmitted back to the original page of the sender of the communication after the return response page ACK receives the result data.

其中，ASK頁面用於接收跨域傳遞請求命令，並根據該命令提取結果資料；ACK頁面用於接收ASK頁面發送的結果資料，並將結果數據傳回原域的原始頁。需要說明的是，通訊雙方只有在第一次傳遞跨域請求時，需要通過通訊接收方的伺服器進行資料傳遞。在以後的跨域傳遞中，瀏覽器利用自身緩存功能將第一次發送的參數緩存在瀏覽器內部，當通訊接收方接收跨域傳遞請求時直接在瀏覽器緩存中提取結果資料。The ASK page is configured to receive the cross-domain delivery request command, and extract the result data according to the command; the ACK page is used to receive the result data sent by the ASK page, and the result data is transmitted back to the original page of the original domain. It should be noted that the communication parties only need to transmit data through the server of the communication receiver when transmitting the cross-domain request for the first time. In the subsequent cross-domain delivery, the browser uses its own caching function to cache the parameters sent for the first time in the browser. When the communication receiver receives the cross-domain delivery request, the result data is directly extracted in the browser cache.

本發明實施例提供的跨域通訊方法的流程圖如圖3所示，具體包括以下步驟：The flowchart of the cross-domain communication method provided by the embodiment of the present invention is as shown in FIG. 3, and specifically includes the following steps:

S301、通訊雙方伺服器各部署兩個頁面檔，一個用於接受請求的頁面ASK，一個用於回送回應的頁面ACK。部署兩個頁面檔可以完成雙向請求通訊。S301. The server of the communication server deploys two page files, one for accepting the requested page ASK, and one for returning the response page ACK. Two page files can be deployed to complete two-way request communication.

需要說明的是，接受請求的ASK頁面一般是靜態頁面，在需要附加額外的HTTP(HyperText Markup Language，超文本傳輸協定)頭資訊時也可以是動態頁面。而回送回應的ACK頁面可以完全是靜態頁面。ASK頁面和ACK頁面是雙方通訊的基本頁面。當通訊發生時，通訊的雙方會相互請求這些基礎頁面。這兩個用於通訊的頁面被統稱為通訊頁面。It should be noted that the ASK page that accepts the request is generally a static page, and may also be a dynamic page when additional HTTP (HyperText Markup Language) header information is required. The ACK page of the reply response can be completely a static page. The ASK page and the ACK page are the basic pages of the two parties' communication. When communication occurs, both parties to the communication will request these basic pages from each other. These two pages for communication are collectively referred to as communication pages.

該步驟中需要兩個通訊頁面的請求格式。這個格式必須是通訊雙方都需要遵守的，因此是通訊協定的一部分。其中，需要注意的是：可以使用GET形式請求頁面，並且通訊的命令和資料一般不能用URL的參數形式傳遞。The request format for the two communication pages is required in this step. This format must be adhered to by both parties to the communication and is therefore part of the communication agreement. Among them, it should be noted that the page can be requested using the GET form, and the commands and materials for communication cannot generally be passed as parameters of the URL.

S302、當從一個網站的原頁面中發出對不同域的另一網站的通訊請求時，原頁面所在的瀏覽器會打開一個隱含頁面，並利用該隱含頁面去打開對方伺服器部署的ASK頁面，並將請求命令和參數傳遞過去。S302. When a communication request for another website in a different domain is sent from the original page of a website, the browser where the original page is located opens an implicit page, and uses the hidden page to open the ASK deployed by the server. The page passes the request commands and parameters.

其中，打開隱藏頁面的方式有打開不可見新視窗或打開不可見的iframe。Among them, the way to open the hidden page is to open the invisible new window or open the invisible iframe.

其中，請求命令使用附加在URL上的片段識別字形式來傳遞，而資料可以使用window物件的name屬性來傳遞。Wherein, the request command is passed using the fragment identification word form attached to the URL, and the data can be passed using the name attribute of the window object.

具體的URL上附加的片段識別字就是在一個URL之後添加一個“#”號，後跟任意字串。片段識別字用於在一個頁面上定位到指定的錨點(閱讀位置)，屬於用戶端處理，而非伺服器處理。URL中的片段識別字發生的任何變化，對於伺服器來說是相同的URL，而瀏覽器先天具有對相同URL頁面的緩存機制。因此，除第一次請求這兩個頁面時會往返伺服器之外，以後對這兩個頁面的請求都只會從瀏覽器的用戶端緩存中讀取，不會有往返伺服器的開銷。The fragment identifier added to the specific URL is to add a "#" after a URL followed by any string. The segment identification word is used to locate the specified anchor point (reading position) on a page, which belongs to the client side processing, not the server processing. Any change in the fragment identification word in the URL is the same URL for the server, and the browser innate has a caching mechanism for the same URL page. Therefore, in addition to the first time the two pages are requested to go back and forth to the server, future requests for both pages will only be read from the browser's client-side cache, and there will be no overhead for the round-trip server.

S303、對方的ASK頁面在收到請求後，執行相應的服務並取得結果資料。S303. After receiving the request, the ASK page of the other party executes the corresponding service and obtains the result data.

S304、對方的ASK頁面會打開一個隱含的新頁面或用自己所在的頁面，打開原域網站的ACK頁面，並將取得的結果數據傳到原域網站的ACK頁面。S304, the other party's ASK page will open an implied new page or use the page where it is located, open the ACK page of the original domain website, and transmit the obtained result data to the ACK page of the original domain website.

瀏覽器安全隔離機制禁止一個域的頁面的程式直接操作另一個頁面的內容和資料。但是，一個域的頁面可以在打開另一個域的頁面時，將資料通過URL或window物件的name屬性等方式，將資料傳遞給對方頁面。The browser security isolation mechanism prohibits the program of a page of one domain from directly manipulating the content and data of another page. However, a domain page can pass data to the other party's page by means of the URL or the name attribute of the window object when opening the page of another domain.

S305、原域網站的ACK頁面將接收的結果數據傳回原頁面。S305. The ACK page of the original website transmits the received result data back to the original page.

上述步驟可以用一個例子加以說明，例如：一個對ASK頁面的典型請求如下：The above steps can be illustrated with an example, for example: a typical request for an ASK page is as follows:

http://www.alisoft.com/ASK.HTM#GetUserName/envoy123＠www.isv.comhttp://www.alisoft.com/ASK.HTM#GetUserName/[email protected]

通過該請求，向http://www.alisoft.com/ASK.HTM頁面請求envoy123＠www.isv.com的用戶名(GetUserName)。With this request, the username (GetUserName) of [email protected] is requested from the http://www.alisoft.com/ASK.HTM page.

一個對ACK頁面的典型回送如下：A typical return for an ACK page is as follows:

http://www.isv.com/ACK.HTM#envoy123http://www.isv.com/ACK.HTM#envoy123

通過該回送，向http://www.isv.com/ACK.HTM頁面發送字串envoy123作為對上述請求的回應By this loopback, the string envoy123 is sent to the http://www.isv.com/ACK.HTM page as a response to the above request.

需要注意的是，步驟s305實現的前提是由於此時的ACK頁面和原頁面是處在同一個域中，因此可以訪問到原頁面，從而將結果資料傳遞給原頁面。It should be noted that the premise of the implementation of step s305 is that since the ACK page and the original page are in the same domain at this time, the original page can be accessed, thereby transmitting the result data to the original page.

上述步驟中，請求和回送的資料都是以JSON格式的字串形式來傳遞的。JSON格式是JavaScript語言原生的資料表示形式，具有形式簡單、格式緊湊和轉換方便等優點。In the above steps, the requested and returned data are transmitted in the form of a string in JSON format. The JSON format is a native data representation of the JavaScript language. It has the advantages of simple form, compact format and convenient conversion.

請求和回送的資料可以通過window物件的name屬性來傳遞，這樣可以傳遞很大的資料資訊。也可通過全部採用片段識別字傳遞資料。The requested and returned data can be passed through the name attribute of the window object, which can convey a large amount of information. Data can also be passed through all of the segment identification words.

需要說明的是，為了方便開發人員使用，可以將上述資料參數封裝成一系列JavaScript函數，提供給開發人員調用。It should be noted that, in order to facilitate the use of the developer, the above data parameters can be encapsulated into a series of JavaScript functions, which are provided to the developer for calling.

以下給出一個函數形式的示例來說明上述功能。An example of a functional form is given below to illustrate the above functions.

function envoy(domainName,serviceName,onSuccess,onError)Function envoy(domainName,serviceName,onSuccess,onError)

domainName-要通訊的功能變數名稱domainName - the name of the function variable to be communicated

serviceName-要請求的服務名serviceName - the name of the service to request

onSuccess-成功回調函數onSuccess - successful callback function

onError-失敗回調函數onError-failed callback function

本發明實施例二中提供一種跨域通訊的方法，該方法的流程圖如圖4所示，具體包括以下步驟：A method for cross-domain communication is provided in the second embodiment of the present invention. The flowchart of the method is as shown in FIG. 4, and specifically includes the following steps:

S401、通訊雙方伺服器各部署一個頁面檔，用於接受請求和回應請求。為了便於描述並基於上述部署的頁面檔的功能把接收請求的頁面稱為ASK頁面和回送回應的頁面稱為ACK頁面。該頁面檔可以為靜態頁面，也可以是動態頁面。S401. The server of each communication server deploys a page file for accepting the request and responding to the request. The page that receives the requested page is called the ASK page and the loopback response is referred to as an ACK page for convenience of description and based on the function of the above-described deployed page file. The page file can be a static page or a dynamic page.

該步驟中需要一個通訊頁面的請求格式。這個格式必須是通訊雙方都需要遵守的，因此是通訊協定的一部分。其中，需要說明的是：可以GET形式請求頁面，並且通訊的命令和資料一般不能用URL的參數形式傳遞。A request format for a communication page is required in this step. This format must be adhered to by both parties to the communication and is therefore part of the communication agreement. Among them, it should be noted that the page can be requested in the form of a GET, and the commands and materials for communication cannot generally be transmitted in the form of parameters of the URL.

S402、當從一個網站的原頁面中發出對不同域的另一網站的通訊請求時，原頁面所在的瀏覽器會打開一個隱含頁面，並利用該隱含頁面去打開對方伺服器部署的ASK頁面，並將請求命令和參數傳遞過去。S402. When a communication request for another website in a different domain is sent from the original page of a website, the browser where the original page is located opens an implicit page, and uses the hidden page to open the ASK deployed by the server. The page passes the request commands and parameters.

該步驟中，打開隱含頁面的方式有：打開不可見新視窗，打開不可見的iframe。In this step, the hidden page is opened by opening an invisible new window and opening an invisible iframe.

S403、對方的ASK頁面在收到請求後，執行相應的服務並取得結果資料。S403. After receiving the request, the ASK page of the other party executes the corresponding service and obtains the result data.

S404、對方的ASK頁面會打開一個隱含的新頁面或用自己所在的頁面，打開原域網站的ACK頁面，並將取得的結果數據傳到原域網站的ACK頁面。S404, the other party's ASK page will open an implied new page or use the page where it is located, open the ACK page of the original domain website, and transfer the obtained result data to the ACK page of the original domain website.

S405、原域網站的ACK頁面將接收的結果數據傳回原頁面。S405. The ACK page of the original website transmits the received result data back to the original page.

該步驟實現的前提是由於此時的ACK頁面和原頁面是處在同一個域中，因此可以訪問到原頁面，從而將結果資料傳遞給原頁面The premise of this step is that since the ACK page and the original page are in the same domain, the original page can be accessed, and the result data is transmitted to the original page.

本發明實施例還提供一種跨域通訊的系統，如圖5所述，包括：發送方100和接收方200，該發送方100與該接收方200位於不同的域中；該發送方100，用於向該接收方200中用於接收資料的頁面發送請求；並通過本地用於接收資料的頁面，接收該接收方200中用於發送資料的頁面發送的回應；從該本地用於接收資料的頁面中獲取該回應。The embodiment of the present invention further provides a cross-domain communication system. As shown in FIG. 5, the method includes: a sender 100 and a receiver 200. The sender 100 is in a different domain from the receiver 200. The sender 100 uses Sending a request to a page for receiving data in the recipient 200; and receiving a response sent by the page for transmitting the data in the receiver 200 through a page for receiving the data locally; from the local for receiving data Get the response in the page.

該接收方200，用於通過用於接收資料的頁面接收該發送方100發送的請求，處理該接收方200發送的請求並得到回應，並通過用於發送資料的頁面，向該發送方100接收資料的頁面發送該回應。The receiving side 200 is configured to receive a request sent by the sender 100 through a page for receiving data, process the request sent by the receiver 200, and obtain a response, and receive the message to the sender 100 through a page for sending data. The page of the profile sends the response.

本發明實施例還提供一種跨域通訊的裝置，用於作為發送方與位於不同域中的接收方交互資料，如圖6所示。包括：請求發送單元10、回應接收單元20以及資料獲取單元30；該請求發送單元10，用於向該接收方中用於接收資料的頁面發送請求；該回應接收單元20，用於通過接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；該資料獲取單元30，用於從該發送方中用於接收資料的頁面中獲取該回應。The embodiment of the present invention further provides an apparatus for cross-domain communication, which is used as a sender to exchange data with a receiver located in a different domain, as shown in FIG. 6. The request sending unit 10 is configured to send a request to a page for receiving data in the receiving party, and the response receiving unit 20 is configured to receive data by using a request sending unit 10, a response receiving unit 20, and a data acquiring unit 30. And receiving a response sent by the page for sending the data in the receiving party; the data obtaining unit 30 is configured to obtain the response from the page for receiving the data in the sending party.

其中，該請求單元10還包括：發送資料頁面和接收資料頁面；該發送資料頁面，用於通過該用於發送資料的頁面將請求命令和資料向該接收方中用於接收資料的頁面發送。The requesting unit 10 further includes: a sending data page and a receiving data page; the sending data page is configured to send the request command and the data to the page for receiving the data in the receiving party by using the page for sending the data.

該接收資料頁面，用於接收接收方發送的回應。The receiving data page is configured to receive a response sent by the receiver.

其中，該發送資料頁面與該接收資料頁面為不同頁面或為同一頁面。並且該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。The sending data page and the receiving data page are different pages or are the same page. And the page for sending the data and the page for receiving the data are dynamic pages or static pages.

本發明實施例還提供一種跨域通訊的裝置，用於作為接收方與位於不同域中的發送方交互資料，如圖7所示。包括：請求接收單元40、處理單元50以及回應發送單元60；該請求接收單元40，用於接收資料的頁面接收該發送方發送的請求；該處理單元50，用於處理該接收方發送的請求並得到回應；該回應發送單元60，用於發送資料的頁面，向該發送方接收資料的頁面發送該回應。The embodiment of the present invention further provides an apparatus for cross-domain communication, which is used as a receiving party to interact with a sender located in a different domain, as shown in FIG. 7. The request receiving unit 40, the processing unit 50, and the response sending unit 60; the request receiving unit 40, the page for receiving the data receives the request sent by the sender; the processing unit 50 is configured to process the request sent by the receiver And receiving a response; the response sending unit 60 is configured to send a page of the data, and send the response to the page that the sender receives the data.

其中，該請求接收單元40包括：接收資料的頁面用於接收該請求命令和資料；發送資料的頁面，用於將該請求命令和資料發送到該處理單元；其中，請求接收單元40還包括：接收資料的頁面和發送資料的頁面；該接收資料的頁面用於接收該請求命令和資料；該發送資料的頁面用於向該發送方的接收資料的頁面發送回應。其中，該發送資料的頁面與該接收資料的頁面為不同頁面或為同一頁面。並且該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。The request receiving unit 40 includes: a page for receiving data for receiving the request command and the data; a page for sending the data, for sending the request command and the data to the processing unit; wherein the request receiving unit 40 further includes: a page for receiving data and a page for sending the data; the page for receiving the data is for receiving the request command and the data; the page for sending the data is for sending a response to the page of the sender receiving the data. The page for sending the data is different from the page for receiving the data or is the same page. And the page for sending the data and the page for receiving the data are dynamic pages or static pages.

通過使用本發明完全遵循瀏覽器域安全隔離機制，並且不需要用戶降低安全級別、沒有URL頁面跳轉以及不會頻繁請求伺服器，並且保證通訊雙方有公平和對稱的安全保護，實現不同功能變數名稱間安全通訊。By using the present invention, the browser domain security isolation mechanism is completely followed, and the user does not need to lower the security level, does not have a URL page jump, and does not frequently request the server, and ensures that the communication parties have fair and symmetric security protection, and realize different function variable names. Secure communication.

通過以上的實施方式的描述，本領域的技術人員可以清楚地瞭解到本發明可以通過硬體實現，也可以借助軟體加必要的通用硬體平臺的方式來實現基於這樣的理解，本發明的技術方案可以以軟體產品的形式體現出來，該軟體產品可以儲存在一個非易失性儲存介質(可以是CD-ROM，U盤，移動硬碟等)中，包括若干指令用以使得一台電腦設備(可以是個人電腦，伺服器，或者網路設備等)執行本發明各個實施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, and can also realize the understanding based on the software plus the necessary general hardware platform, the technology of the present invention. The solution can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a removable hard drive, etc.), including a number of instructions for making a computer device (may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.

以上所述僅是本發明的較佳實施方式，應當指出，對於本技術領域的普通技術人員來說，在不脫離本發明原理的前提下，還可以做出若干改進和潤飾，這些改進和潤飾也應視為本發明的保護範圍。The above is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can make several improvements and retouchings without departing from the principles of the present invention. It should also be considered as the scope of protection of the present invention.

10．．．請求發送單元10. . . Request sending unit

20．．．回應接收單元20. . . Response receiving unit

30．．．資料獲取單元30. . . Data acquisition unit

40．．．請求接收單元40. . . Request receiving unit

50．．．處理單元50. . . Processing unit

60．．．回應發送單元60. . . Response sending unit

100．．．發送方100. . . sender

200．．．接收方200. . . receiver

圖1為本發明實施例一種跨域通訊方法的流程圖；1 is a flowchart of a cross-domain communication method according to an embodiment of the present invention;

圖1-A為本發明實施例一種跨域通訊方法的又一流程圖；FIG. 1A is still another flowchart of a cross-domain communication method according to an embodiment of the present invention; FIG.

圖2為本發明實施例中一種跨域通訊方法原理圖；2 is a schematic diagram of a cross-domain communication method according to an embodiment of the present invention;

圖3為本發明實施例一中一種跨域通訊方法的流程圖；3 is a flowchart of a cross-domain communication method according to Embodiment 1 of the present invention;

圖4為本發明實施例二中一種跨域通訊方法的流程圖；4 is a flowchart of a cross-domain communication method according to Embodiment 2 of the present invention;

圖5為本發明實施例中一種跨域通訊的系統圖；FIG. 5 is a system diagram of cross-domain communication according to an embodiment of the present invention; FIG.

圖6為本發明實施例中一種跨域通訊裝置的結構圖；6 is a structural diagram of a cross-domain communication device according to an embodiment of the present invention;

圖7為本發明實施例中又一跨域通訊裝置的結構圖。FIG. 7 is a structural diagram of still another cross-domain communication device according to an embodiment of the present invention.

Claims

一種跨域通訊的方法，應用於包括發送方和接收方的系統中，該發送方和接收方位於不同的域中，其特徵在於，包括：該發送方向該接收方中用於接收資料的頁面發送請求；該發送方中用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；以及該發送方從該發送方中用於接收資料的頁面中獲取該回應，其中，該發送方向該接收方中用於接收資料的頁面發送請求包括：該發送方打開一個用於發送資料的隱含頁面，透過該用於發送資料的隱含頁面將請求命令和資料向該接收方中用於接收資料的頁面發送，且打開該隱含頁面包括：打開不可見視窗或打開不可見的iframe。 A cross-domain communication method is applied to a system including a sender and a receiver, where the sender and the receiver are located in different domains, and the method includes: the sending direction is a page for receiving data in the receiver Sending a request; a page for receiving data in the sender, receiving a response sent by a page of the receiver for transmitting data; and the sender obtaining the response from a page of the sender for receiving data, wherein And sending, by the sending party, a page sending request for receiving data in the receiving party, comprising: the sender opening an implicit page for sending the data, and transmitting the request command and the data to the receiving through the hidden page for sending the data The page for receiving the data is sent, and opening the hidden page includes: opening an invisible window or opening an invisible iframe.

如申請專利範圍第1項所述的方法，其中，該接收資料的頁面與該發送資料的頁面具體為該發送方和該接收方伺服器在跨域通訊前部署的頁面檔。 The method of claim 1, wherein the page for receiving the data and the page for sending the data are specifically page files deployed by the sender and the receiver server before the cross-domain communication.

如申請專利範圍第1項所述的方法，其中，該發送資料的頁面與該接收資料的頁面為不同頁面或為同一頁面。 The method of claim 1, wherein the page for sending the material is different from the page for receiving the data or is the same page.

如申請專利範圍第1項所述的方法，其中，該請求命令和資料透過GET形式攜帶。 The method of claim 1, wherein the request command and the data are carried in a GET form.

如申請專利範圍第1項所述的方法，其中，該請求命令使用附加在統一資源***URL上的片段識別字形式傳遞；該資料使用window物件的name屬性傳遞或採用片段識別字來傳遞。 The method of claim 1, wherein the request command is delivered using a fragment identification word appended to the Uniform Resource Locator URL; the material is passed using a name attribute of the window object or a fragment identification word.

如申請專利範圍第1項所述的方法，其中，該請求和回應的資料使用JSON格式的字串形式傳遞。 The method of claim 1, wherein the data of the request and response is transmitted in a string of JSON format.

如申請專利範圍第1項所述的方法，其中，該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。 The method of claim 1, wherein the page for sending the material and the page for receiving the data are dynamic pages or static pages.

一種跨域通訊的方法，應用於包括發送方和接收方的系統中，該發送方和接收方位於不同的域中，其特徵在於，包括：該接收方中用於接收資料的頁面接收該發送方發送的請求；該接收方處理該接收方發送的請求並得到回應；以及該接收方中用於發送資料的頁面，向該發送方接收資料的頁面發送該回應，其中，該接收方中用於發送資料的頁面向該發送方接收資料的頁面發送該回應包括：該接收方接收資料的頁面直接打開該發送方接收資料的頁面並回應請求，或該接收方打開一個用於發送資料的隱含頁面，並利用該隱含頁面打開發送方接收資料的頁面並回應請求，且打開該隱含頁面包括：打開不可見視窗或打開不可見的iframe。 A cross-domain communication method is applied to a system including a sender and a receiver, where the sender and the receiver are located in different domains, and the method includes: receiving, by the receiver, a page for receiving data The request sent by the party; the receiver processes the request sent by the receiver and receives a response; and the page for sending the data in the receiver sends the response to the page receiving the data from the sender, wherein the receiver uses the response Sending the response to the page receiving the data from the sender's page includes: the page receiving the data by the recipient directly opens the page of the sender receiving the data and responds to the request, or the recipient opens a hidden message for sending the data. The page is included, and the hidden page is used to open the page of the sender receiving the data and respond to the request, and opening the hidden page includes opening an invisible window or opening an invisible iframe.

如申請專利範圍第10項所述的方法，其中，該發送資料的頁面與該接收資料的頁面為不同頁面或為同一頁面。 The method of claim 10, wherein the page for sending the material is different from the page for receiving the data or is the same page.

如申請專利範圍第8項所述的方法，其中，該回應使用附加在統一資源***URL上的片段識別字形式傳遞；該資料使用window物件的name屬性傳遞或採用片段識別字來傳遞。 The method of claim 8, wherein the response is delivered using a fragment identification word appended to the Uniform Resource Locator URL; the material is passed using a window object's name attribute or a fragment identification word.

如申請專利範圍第8項所述的方法，其中，該回應的資料使用JSON格式的字串形式傳遞。 The method of claim 8, wherein the response data is transmitted in a string of JSON format.

如申請專利範圍第8項所述的方法，其中，該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。 The method of claim 8, wherein the page for sending the material and the page for receiving the data are dynamic pages or static pages.

一種跨域通訊的系統，其特徵在於，包括：發送方和接收方，該發送方與該接收方位於不同的域中；該發送方，用於向該接收方中用於接收資料的頁面發送請求，並透過本地用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應，從該本地用於接收資料的頁面中獲取該回應；以及該接收方，用於透過用於接收資料的頁面接收該發送方發送的請求，處理該接收方發送的請求並得到回應，並透過用於發送資料的頁面向該發送方接收資料的頁面發送該回應，其中，該發送方向該接收方中用於接收資料的頁面發送請求包括：該發送方打開一個用於發送資料的隱含頁面，透過該用於發送資料的隱含頁面將請求命令和資料向該接收方中用於接收資料的頁面發送，該接收方透過用於發送資料的頁面向該發送方接收資料的頁面發送該回應包括：該接收方接收資料的頁面直接打開該發送方接收資料的頁面並回應請求，或該接收方打開一個用於發送資料的隱含頁面，並利用該隱含頁面打開發送方接收資料的頁面並回應請求，且打開該隱含頁面包括：打開不可見視窗或打開不可見的iframe。 A cross-domain communication system, comprising: a sender and a receiver, the sender and the receiver are located in different domains; the sender is configured to send a page for receiving data in the receiver Requesting, and receiving, by the local page for receiving data, a response sent by the receiving party for sending a page of the data, obtaining the response from the local page for receiving the data; and the receiving party for transmitting Receiving the request sent by the sender on the page receiving the data, processing the request sent by the receiver, and receiving the response, and sending the response to the page receiving the data from the sender through the page for sending the data, wherein the sending direction is The page sending request for receiving the data in the receiving party includes: the sender opens an implicit page for sending the data, through The implicit page for transmitting the data sends the request command and the data to the page for receiving the data in the receiving party, and the receiving party sends the response to the page receiving the data from the sender through the page for sending the data, including: The receiving party receives the page of the data directly to open the page of the sender receiving the data and responds to the request, or the receiving party opens an implicit page for sending the data, and uses the hidden page to open the page of the sender receiving the data and responds Requesting and opening the hidden page includes opening an invisible window or opening an invisible iframe.

一種跨域通訊的裝置，用於作為發送方與位於不同域中的接收方交互資料，其特徵在於，包括：請求發送單元、回應接收單元以及資料獲取單元；該請求發送單元，用於向該接收方中用於接收資料的頁面發送請求；該回應接收單元，用於透過用於接收資料的頁面，接收該接收方中用於發送資料的頁面發送的回應；以及該資料獲取單元，用於從該發送方中用於接收資料的頁面中獲取該回應，其中，該請求發送單元向該接收方中用於接收資料的頁面發送請求包括：該發送方打開一個用於發送資料的隱含頁面，透過該用於發送資料的隱含頁面將請求命令和資料向該回應接收單元中用於接收資料的頁面發送，且打開該隱含頁面包括：打開不可見視窗或打開不可見的iframe。 An apparatus for inter-domain communication, configured to interact with a receiver located in a different domain as a sender, and includes: a request sending unit, a response receiving unit, and a data acquiring unit; the request sending unit is configured to a page sending request for receiving data in the receiving side; the response receiving unit is configured to receive, by using a page for receiving the data, a response sent by the page for sending the data in the receiving party; and the data acquiring unit is configured to: Acquiring the response from the page for receiving the data in the sender, wherein the request sending unit sends a request to the page for receiving the data in the receiving party, comprising: the sender opening an implicit page for sending the data Sending the request command and the data to the page for receiving the data in the response receiving unit through the hidden page for sending the data, and opening the hidden page includes: opening the invisible window or opening the invisible iframe.

如申請專利範圍第14項所述的裝置，其中，該請求發送單元包括：發送資料的頁面，用於透過該用於發送資料的頁面將請求命令和資料向該接收方中用於接收資料的頁面發送。接收資料的頁面，用於透過該用於接收資料的頁面接收回應。 The device of claim 14, wherein the request sending unit comprises: a page for transmitting data, wherein the request command and the data are used for receiving data by the receiving page by using the page for sending the data. The page is sent. A page for receiving data for receiving a response through the page for receiving data.

如申請專利範圍第14項所述的裝置，其中，該發送資料的頁面與該接收資料的頁面為不同頁面或為同一頁面。 The device of claim 14, wherein the page for sending the material is different from the page for receiving the data or is the same page.

如申請專利範圍第14項所述的裝置，其中，該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。 The device of claim 14, wherein the page for sending the material and the page for receiving the data are dynamic pages or static pages.

一種跨域通訊的裝置，用於作為接收方與位於不同域中的發送方交互資料，其特徵在於，包括：請求接收單元、處理單元以及回應發送單元；該請求接收單元，用於接收資料的頁面接收該發送方發送的請求；該處理單元，用於處理該接收方發送的請求並得到回應；以及該回應發送單元，用於透過用於發送資料的頁面向該發送方接收資料的頁面發送該回應，其中，該回應發送單元透過用於發送資料的頁面向該發送方接收資料的頁面發送該回應包括：該接收方接收資料的頁面直接打開該發送方接收資料的頁面並回應請求，或該接收方打開一個用於發送資料的隱含頁面，並利用該隱含頁面打開發送方接收資料的頁面並回應請求，且打開該隱含頁面包括：打開不可見視窗或打開不可見的iframe。 An apparatus for inter-domain communication, configured to interact with a sender in a different domain as a receiver, and includes: a request receiving unit, a processing unit, and a response sending unit; and the request receiving unit is configured to receive data The page receives the request sent by the sender; the processing unit is configured to process the request sent by the receiver and obtain a response; and the response sending unit is configured to send a page for receiving the data to the sender by using a page for sending the data The response, wherein the response sending unit sends the response to the page that receives the data from the sender through the page for sending the data, the page that the receiving party receives the data directly opens the page that the sender receives the data and responds to the request, or The connection The recipient opens an implicit page for sending the data, and uses the hidden page to open the page that the sender receives the data and responds to the request, and opening the hidden page includes opening an invisible window or opening an invisible iframe.

如申請專利範圍第18項所述的裝置，其中，該請求接收單元包括：接收資料的頁面，用於接收該發送方發送的請求命令和資料；發送資料的頁面，用於向該發送方的接收資料的頁面發送回應。 The device of claim 18, wherein the request receiving unit comprises: a page for receiving data, for receiving a request command and data sent by the sender; and a page for sending data for the sender The page receiving the data sends a response.

如申請專利範圍第18項所述的裝置，其中，該發送資料的頁面與該接收資料的頁面為不同頁面或為同一頁面。 The device of claim 18, wherein the page for sending the material is different from the page for receiving the data or is the same page.

如申請專利範圍第18項所述的裝置，其中，該發送資料的頁面與該接收資料的頁面為動態頁面或靜態頁面。The device of claim 18, wherein the page for sending the material and the page for receiving the data are dynamic pages or static pages.