跨站点XMLHtt prequest [英] Cross-site XMLHttpRequest

问题描述

我想提供一段JavaScript code，将工作位置时包括任何网站，但它总是需要获得其中的Javascript托管在服务器上更多的数据（甚至修改数据）。我知道有显而易见的原因，到位的安全限制。

请考虑的index.html托管在含xyz.com如下：

 ＆LT;脚本类型=文/ JavaScript的SRC =htt​​p://abc.com/some.js＆GT;＆LT; / SCRIPT＆GT;
 

将some.js可以使用XMLHtt prequest将数据发布到abc.com？换句话说，就是abc.com隐含信任，因为我们加载的Javascript从那里？

解决方案

  

将some.js可以使用XMLHtt prequest将数据发布到abc.com？换句话说，就是abc.com隐含信任，因为我们加载的Javascript从那里？

没有，因为剧本是在加载到一个单独的域名将不能访问...

如果您信任的数据源，那么也许JSONP将是更好的选择。 JSONP涉及动态添加新的脚本元素与SRC设置到另一个域的页面，一个回调设置为在查询字符串参数。例如：

 函数的getJSON（URL，成功）{
    VAR UD ='json的'+（的Math.random（）* 100）的ToString（）代替（/\./克，''）。
    窗口[UD] =功能（O）{
        成功和放大器;＆安培;成功（O）;
    };
    document.getElementsByTagName（'身体'）[0] .appendChild（（函数（）{
        VAR S = document.createElement方法（脚本）;
        s.type =文/ JavaScript的;
        s.src = URL.replace（'？回调='，'回调='+ UD）;
        返回S;
    }）（））;
}

getJSON('http://YOUR-DOMAIN.com/script.php?dataName=john&dataAge=99&callback=?',function(data){
    VAR成功= data.flag ===成功;
    如果（成功）{
        警报（'发布到abc.com保护正常工作成功每一步'）;
    }
}）;
 

所以，你需要举办自己的脚本，可以使用PHP /卷曲张贴到abc.com域，然后将输出JSONP格式的响应：

我没有太大用PHP，但也许是这样的：

 ＆LT; PHP
    / *抓住变量* /
    $ postURL = $ _GET ['posturl'];
    $ POSTDATA ['名称'] = $ _GET ['数据名'];
    $ POSTDATA ['年龄'] = $ _GET ['dataAge'];

    / *在这里，POST到abc.com * /
    / *更多信息：http://uk3.php.net/curl和放大器; http://www.askapache.com/htaccess/sending-post-form-data-with-php-curl.html * /

    / *假数据（只是在这个例子:) * /
    $ postResponse ='blahblahblah';
    $ postSuccess = TRUE;

    / *一旦你做到了这一点，你可以输出JSONP响应* /
    / *记住JSON格式=='JavaScript对象符号 - 例如， {'富'：{'吧'：'富'}} * /
    回声$ _GET ['回调']。 '（{';
    回声'标志'：'$ postSuccess。'
    回声回应：}）$ postResponse。'

？＆GT;
 

那么，你的服务器，你在有控制的，将作为客户端和abc.com之间的媒介，你会发送响应返回给JSON格式的客户端，以便它可以被理解和使用由JavaScript ......

I want to provide a piece of Javascript code that will work on any website where it is included, but it always needs to get more data (or even modify data) on the server where the Javascript is hosted. I know that there are security restrictions in place for obvious reasons.

Consider index.html hosted on xyz.com containing the following:

<script type="text/javascript" src="http://abc.com/some.js"></script>

Will some.js be able to use XMLHttpRequest to post data to abc.com? In other words, is abc.com implicitly trusted because we loaded Javascript from there?

解决方案

Will some.js be able to use XMLHttpRequest to post data to abc.com? In other words, is abc.com implicitly trusted because we loaded Javascript from there?

No, because the script is loaded on to a seperate domain it will not have access...

If you trust the data source then maybe JSONP would be the better option. JSONP involves dynamically adding new SCRIPT elements to the page with the SRC set to another domain, with a callback set as a parameter in the query string. For example:

function getJSON(URL,success){
    var ud = 'json'+(Math.random()*100).toString().replace(/\./g,'');
    window[ud]= function(o){
        success&&success(o);
    };
    document.getElementsByTagName('body')[0].appendChild((function(){
        var s = document.createElement('script');
        s.type = 'text/javascript';
        s.src = URL.replace('callback=?','callback='+ud);
        return s;
    })());
}

getJSON('http://YOUR-DOMAIN.com/script.php?dataName=john&dataAge=99&callback=?',function(data){
    var success = data.flag === 'successful';
    if(success) {
        alert('The POST to abc.com WORKED SUCCESSFULLY');
    }
});

So, you'll need to host your own script which could use PHP/CURL to post to the abc.com domain and then will output the response in JSONP format:

I'm not too great with PHP, but maybe something like this:

<?php
    /* Grab the variables */
    $postURL = $_GET['posturl'];
    $postData['name'] = $_GET['dataName'];
    $postData['age'] = $_GET['dataAge'];

    /* Here, POST to abc.com */
    /* MORE INFO: http://uk3.php.net/curl & http://www.askapache.com/htaccess/sending-post-form-data-with-php-curl.html */

    /* Fake data (just for this example:) */
    $postResponse = 'blahblahblah';
    $postSuccess = TRUE;

    /* Once you've done that, you can output a JSONP response */
    /* Remember JSON format == 'JavaScript Object Notation' - e.g. {'foo':{'bar':'foo'}} */
    echo $_GET['callback'] . '({';
    echo "'flag':' . $postSuccess . ',";
    echo "'response':' . $postResponse . '})";

?>

So, your server, which you have control over, will act as a medium between the client and abc.com, you'll send the response back to the client in JSON format so it can be understood and used by the JavaScript...

这篇关于跨站点XMLHtt prequest的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！