在主frame,使用
var frame = document.getElementById("login_frame");
console.log('haha2:' + dom.contentWindow);
这种方式访问子frame,存在跨域问题。
那么怎么在chromium里去掉这个检查呢。经过调试,发现仅仅去掉SecurityOrigin::canAccess之类还是不行,
原因是如下堆栈:
blink::V8Window::namedPropertyGetterCustom
blink::DOMWindowV8Internal::namedPropertyGetterCallback
v8::internal::PropertyCallbackArguments::Call
v8::internal::`anonymous namespace'::GetPropertyWithInterceptorInternal
v8::internal::JSObject::GetPropertyWithInterceptor
v8::internal::Object::GetProperty
v8::internal::JSReceiver::GetProperty
v8::internal::Object::GetMethod
v8::internal::JSReceiver::ToPrimitive
v8::internal::Object::ToPrimitive
v8::internal::Object::Add
v8::internal::BinaryOpIC::Transition
v8::internal::Runtime_BinaryOpIC_Miss
会去取Symbol.toPrimitive,
关键就是这个Object::GetProperty,会调用it->HasAccess()去请求是否有访问权限。
it->HasAccess()里的逻辑是先检查
Context::cast(receiver_context)->security_token() == native_context->security_token()
再检查v8windows里设置的
DOMWindowV8Internal::securityCheck。
所以只要在WindowProxy::setSecurityToken里
把所有SecurityToken都用context->SetSecurityToken
设置成一样的,v8就全都放行了。