javascript - 检测用户是否单击了弹出窗口中的元素

Question

是否可以检查用户是否单击了弹出窗口中的元素？我目前使用此 JavaScript 打开弹出窗口并检测它是否关闭。

var win = window.open(url,'','height=500,width=800');
var winTimer = window.setInterval(function()
{
    if (win.closed == true) {
        clearInterval(winTimer);
    }
}, 2000);

例如，我在弹出窗口中打开 YouTube，我想检测用户是否点击了“喜欢”按钮。如何检测间隔内的元素点击并在检测到后关闭弹出窗口？

Answer 1

不幸的是，除非该域托管在与您的网站相同的域上，否则您将遇到 cross-domain security问题。在这种情况下，您想要完成的任务(通过 youtube)将不起作用，除非他们有一个隐式 api 允许这样做(请参阅 Window.postMessage() )。

来自wikipedia page for the Same-origin_policy :

The main reason to have this restriction is because without the same-origin policy there would be a security risk. Assume that a user is visiting a banking website and doesn't log out. Then he goes to any random other site and that site has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, that malicious code could do anything on the banking site. For example, get a list of your last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking website based on the domain of the banking website. A user visiting that malicious site would expect that the site he is visiting has no access to the banking session cookie. While this is true, the JavaScript has no direct access to the banking session cookie, but it could still send and receive requests to the banking site with the banking site's session cookie, essentially acting as a normal user of the banking site. Regarding the sending of new transactions, even CSRF protections by the banking site have no effect, because the script can simply do the same as the user would do. So this is a concern for all sites where you use sessions and/or need to be logged in. If the banking site from the example (or any other site of course) only presents public data and you cannot trigger anything, then there is usually no danger which the same-origin policy protects against. Also, if the two sites are under control of the same party or trust each other completely, then there is probably no danger either.