Ginew.Z 的博客

href="#" vs. href="javascript:void(0)"

<a href="javascript:void(0)" onclick="doSomething();returnfalse;">Link</a>

這是一個曾經被多次討論過的問題，長期以來，我也一直是這樣寫的。讀了 a href=”javascript:void(0);” — avoid the void 之后，我認同了作者的意見。下面的寫法確實更合理：

<a href="#" onclick="doSomething();returnfalse;">Link</a>

或者

<script type="javascript">
function doSomething() {
  //doSomething
  returnfalse;
}
</script>
<a href="#" onclick="return doSomething();">Link</a>

以往大家不使用"#"的問題是，這將導致點擊鏈接時頁面跳回頁面頂部，但通過 return false 語句將使得瀏覽器忽略鏈接的默認動作，從而避免了此問題。

youngpup 更有意思，他在How to Create Pop-Up Windows 中言辭激烈的倡導大家永遠永遠永遠不要使用 javascript: 偽協議：

Never, ever, ever use the javascript: pseudo-protocol for anything, ever ever ever ever again. Please. Pretty please.

他的解決方案是：

<a 
  href="http://google.com/" 
  onclick="window.open(this.href, 'popupwindow', 
  'width=400,height=300,scrollbars,resizable'); 
  returnfalse;">

這樣的好處就是可以保存到書簽或者收藏夾，可以左鍵單擊，也可以右鍵使用！

???? 我們打算為用戶架設單獨的虛擬主機服務器，可以讓企業自主上傳jsp、htm、php等程序。其中resin用來做jsp的容器。
???? 由于是用戶自主通過FTP上傳程序，我們必須控制這些程序可以執行的權限，不能讓用戶隨便瀏覽硬盤上的文件，但又要能讓resin可以正常運行。比如：/data/user_a目錄中的程序，只能在/data/user_a目錄及其子目錄中讀寫，如果想要訪問其他目錄，就沒有權限。
???? 通過研究resin的文檔以及JAVA的機制，我認為要實現以上構想，可以通過使用java權限管理器來構建一個resin的沙箱來對java的具體操作進行授權。
參考文檔：http://www.caucho.com/resin-3.0/security/securitymanager.xtp ，http://www.jscud.com/srun/news/viewhtml/3_2005_10/148.htm

???? 當我認為勝利在望的時候，發現resin好像不支持grant codeBase "file:xxxx 。

grant codeBase "file:/data/ftpdata/user01.test.com/-" {
?permission java.io.FilePermission "/data/ftpdata/user01.test.com/-", "read,write,delete";
};
???? 上面的語句，語法上沒有問題，但就是不起作用。那個codebase目錄下的文件，對本目錄沒有任何權限。

??????? resin的官方論壇里面，有人在2001年，針對resin1.2.5就提出了和我一摸一樣的疑問（http://www.caucho.com/support/resin-interest/0105/0106.html），作者發現問題是由于resin的classloader是非安全的，因此改了resin原文件后解決了問題（http://www.caucho.com/support/resin-interest/0105/0112.html），但是我看resin3的源代碼，里面已經基于java.security.SecureClassLoader，因此應該不是這個原因了。
???? 以下是我的resin.policy文件：

grant codeBase "file:${java.home}/lib/-" {
?permission java.security.AllPermission;
};

grant codeBase "file:${java.home}/jre/lib/-" {
?permission java.security.AllPermission;
};

grant codeBase "file:${resin.home}/lib/-" {
?permission java.security.AllPermission;
};

grant {
?permission java.util.PropertyPermission "*", "read";
?permission java.io.SerializablePermission "enableSubstitution";
?permission java.lang.reflect.ReflectPermission "suppressAccessChecks";?
?permission java.lang.RuntimePermission "accessClassInPackage.*";
?permission java.lang.RuntimePermission "getClassLoader";
?permission java.lang.RuntimePermission "accessDeclaredMembers";
?permission java.lang.RuntimePermission "modifyThreadGroup";
?permission java.lang.RuntimePermission "setContextClassLoader";
?permission java.lang.RuntimePermission "setIO";
?permission java.lang.RuntimePermission "stopThread";
?permission java.lang.RuntimePermission "createClassLoader";
?permission java.lang.RuntimePermission "getProtectionDomain";
?permission java.lang.RuntimePermission "defineClassInPackage";
?permission java.security.SecurityPermission "putProviderProperty.SunJCE";
?permission java.security.SecurityPermission "insertProvider.SunJCE";
?permission java.util.logging.LoggingPermission "control";
?permission java.lang.RuntimePermission "getAttribute";
?permission java.util.PropertyPermission "jaxp.debug", "read";
?permission ognl.OgnlInvokePermission "invoke.*";
?permission java.net.SocketPermission "localhost:3306","connect";
?permission java.io.FilePermission "${resin.home}/-", "read";
?permission java.io.FilePermission "${java.home}/-", "read";
?permission java.io.FilePermission "/tmp/-","read,write,delete";
?permission java.io.FilePermission "/tmp","read,write,delete";
?permission java.io.FilePermission ".","read";
?permission java.io.FilePermission "/home/apps/java/jdk/lib/tools.jar","read";
?permission java.io.FilePermission "/bin/sh", "read,execute";
};

//以下語句沒有任何作用，/data/ftpdata/user01.test.com/下的jsp對這個目錄沒有讀的權限
grant codeBase "file:/data/ftpdata/user01.test.com/-" {
?permission java.io.FilePermission "/data/ftpdata/user01.test.com/-", "read,write,delete";
};

• 確保軟件自始至終都以開放源代碼形式發布，保護開發成果不被竊取用作商業發售。任何一套軟件，只要其中使用了受 GPL 協議保護的第三方軟件的源程序，并向非開發人員發布時，軟件本身也就自動成為受 GPL 保護并且約束的實體。也就是說，此時它必須開放源代碼。
  
  
• GPL 大致就是一個左側版權（Copyleft，或譯為“反版權”、“版權屬左”、“版權所無”、“版責”等）的體現。你可以去掉所有原作的版權 信息，只要你保持開源，并且隨源代碼、二進制版附上 GPL 的許可證就行，讓后人可以很明確地得知此軟件的授權信息。GPL 精髓就是，只要使軟件在完整開源 的情況下，盡可能使使用者得到自由發揮的空間，使軟件得到更快更好的發展。
  
  
• 無論軟件以何種形式發布，都必須同時附上源代碼。例如在 Web 上提供下載，就必須在二進制版本（如果有的話）下載的同一個頁面，清楚地提供源代碼下載的鏈接。如果以光盤形式發布，就必須同時附上源文件的光盤。
  
  
• 開發或維護遵循 GPL 協議開發的軟件的公司或個人，可以對使用者收取一定的服務費用。但還是一句老話——必須無償提供軟件的完整源代碼，不得將源代碼與服務做捆綁或任何變相捆綁銷售。
  

?

以前如果要使iframe里面的腳本能訪問parent的內容，但iframe和parent的二級域名相同，那一般都會在兩者都寫上document.domain="xxx.com" 以放寬訪問權限。

今天發現，如果iframe和parent在同一個三級域名下，比如都是aa.bb.com，那設了document.domain反而會造成訪問拒絕。

查了下MSDN，有如下解釋：

Remarks

The property initially returns the host name of the server from which the page is served. The property can be assigned the domain suffix to allow sharing of pages across frames. For example, a page in one frame from home.microsoft.com and a page from www.microsoft.com initially would not be able to communicate with each other. However, by setting the domain property of both pages to the suffix "microsoft.com", you ensure that both pages are considered secure and access is available between the pages.

When you set the domain property, use the domain name determined by the server rather than by the client browser.

All the pages on different hosts must have the domain property explicitly set to the same value to communicate successfully with each other. For example, the value of the domain property of a page on the host microsoft.com would be "microsoft.com" by default. It might seem logical that if you set the domain property of a page on another host named msdn.microsoft.com to "microsoft.com," that the two pages could communicate with each other. However, this is not the case unless you have also explicitly set the domain property of the page on microsoft.com to "microsoft.com".

Furthermore, this property cannot be used to allow cross-frame communication among frames with different domain suffixes. For example, a page in one frame from www.microsoft.com and a page in another frame from www.msn.com would not be able to communicate with each other even if the domain property of both pages was set to the suffix "microsoft.com".

Security Alert??Using this property incorrectly can compromise the security of your Web site. Set the domain property only if you must allow cross-domain scripting. Use a value determined on the server. Setting this property to a value determined on the client (like through the location object) could expose your site to attack from another site through Domain Name System (DNS) manipulation. For more information, see Security Considerations: Dynamic HTML.

For more information on domain security, see About Cross-Frame Scripting and Security.