跨域XHR / AJAX：一个可能的解决方法？ [英] Cross-domain XHR/AJAX : a possible workaround?

问题描述

我只是有一个想法，使跨域AJAX调用，因为到目前为止，他们真的是一个PITA处理。 这是我还没有看到任何地方暴露在网络上的解决方案，所以它可能是（可能是）有缺陷/危险出于某种原因，我似乎无法看到现在，所以我转向你告诉我如果这是合法与否：

I just had an idea to make cross-domain AJAX calls, because so far they really are a PITA to deal with. This is a solution I haven't seen exposed anywhere on the web, so it might be (probably is) flawed/dangerous for some reason, which I can't seem to see now, so I'm turning to you to tell me if this is legit or not :

今天，如果你拥有一个域名，www.foo.com，你cannont使XML HTTP请求说www.bar.com。但是，如果你做了XHR来FOO.COM，这将然后要求bar.com的页面，通过卷曲请求（或插座什么的？）。

Today if you own a domain, www.foo.com, you cannont make XML Http Requests to say www.bar.com. But what if you made an XHR to foo.com, that would then ask bar.com for the page, through a cURL request (or a socket or anything ?).

您通常设置你的XHR，无论是GET或POST的，但是你把它送到foo.com/remote-xhr.php~~V代替，并添加含有原本打算URL中的URL参数，PARAMS参数包含，那么，这些参数。

You normally set up your xhr, be it a GET or a POST, but you send it to foo.com/remote-xhr.php instead and add a "url" parameter containing the originally intended URL, and "params" parameter containing, well, the parameters.

远程xhr.php解析PARAMS，并呼吁URL和回声的响应。

remote-xhr.php parses "params", and calls "url", and "echo" the response.

这绝对是一个折衷，因为：1。你让2个呼叫，而不是一个与其他解决方案（script标签黑客/ JSONP）和2。你输了，你可能有任何身份验证，因为客户端没有请求的页面，但服务器（你可以用唯一的ID，盐，但任何解决方法的话）;但你再有一个完全正常的X​​HR调用，可以与任何distand域！

It's definitely a tradeoff, because : 1. you make 2 calls instead of one with other solutions (script tag hack/JSONP) and 2. you lose any authentication you might have had because the client isn't requesting the page but the server is (you can workaround it with unique IDs, salt, anything though) ; but you then have a perfectly normal XHR call that could work with any distand domain !

我在想什么？

推荐答案

我想你已经想到了其中的一些，但以防万一不是

I imagine you've already thought of some of these, but just in case not

1. 如果你没有做任何的身份验证与服务器端XHR直通，你可能想要限制什么网址可以被调用，解析PARAMS任何额外的，怪异的XSS机会，这presents。

1. If you aren't doing any kind of authentication with your server-side XHR pass-through, you might want to limit what URLs can be called and parse the params for any extra-weird XSS opportunities this presents.

潜伏期增加可能提出了应变对你的网络服务器，因为它可以保留相应的请求/响应线程不再等待翻盘卷曲回应（除非你做somekind的额外的异步架构）。缓存卷曲的反应可能是preferrable，但根据您POST'ed多少变化参数，你可能会遇到的，这可能不是一个选项。

The latency increase might put a strain on your webserver since it could be holding the request/response threads longer waiting for a cURL response to comeback (unless you're doing somekind of extra async architecture). Caching the cURL response might be preferrable, but depending on how many variations of your POST'ed parameters you might encounter, that might not be an option.

我敢肯定有其他人根据您的应用程序，但我会继续前进，说我做这样的事情，但只是因为我付出，我不想直接暴露给外部的API我AJAX应用程序......所以我一直pretty的大量抽象的叫声，并把它们限制在pretty的很多单个外部URL。

I'm sure there are others depending on your application, but I will go ahead and say that I'm doing something like this but only because I pay for an external API that I don't want to expose directly to my AJAX application... so I've pretty heavily abstracted the calls, and limit them to pretty much a single external URL.

这篇关于跨域XHR / AJAX：一个可能的解决方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！