jQuery - 如何删除跨域限制 [英] jQuery - How to remove cross domain limitation
问题描述
我正在使用移动网络应用程序,jsonp对于跨域请求非常酷,但服务器的API不支持回调参数。所以我只能使用json从远程服务器获取数据。
我在jQuery中试过json,似乎它不支持跨域请求。我尝试了对safari的原始ajax请求函数,并且它在跨域工作良好,所以我可以删除json的json请求跨域的限制吗? (不是jsonp,只有json),以及如何做?
或者有任何替代的简单的ajax库
同源政策
您尝试规避同源政策。它内置到每个浏览器,通常不是你可以或应该想禁用/ workaround / etc。这是您的网站,用户和用户浏览器之间非常重要的安全合约。
CORS(可能)
CORS 允许您的网络服务器告知浏览器/客户端允许访问其他域。这是通过您的Web服务器输出以下HTTP标头来完成的
Access-Control-Allow-Origin:http: www.example.com
如果无法控制HTTP标头,则无法使用CORS。
请注意,您应该检查以确保浏览器兼容性,因为IE8 / 9的支持有限。还要注意,这是一个潜在的攻击向量。
JSONP(可能)
$ b$ b
JSONP 是一种以动态方式在服务器之间传递和提取数据的聪明方式添加一个脚本标签与 src atrribute等于yoururl.com?<your参数数据>到您的网页。这是唯一合法的方式来完成这样的壮举没有一个Web代理(见下文)或一个小程序(Flash / Java)。但是,如果您不是请求的两端的提供者,它也有自己的安全风险。请记住,JSONP允许远程服务器在您的上下文中执行代码,并且您应该非常小心您向。
VanillaAJAX(不可能)
没有使用JSONP来获取数据,那么你很有可能尝试使用AJAX请求来获取数据。 AJAX请求也受到同源策略的约束。 JavaScript库(例如jQuery,Prototype,Dojo等)不能将此策略规避为Ajax请求的基本行为。
AJAX w / Web Proxy(可能)
如果您要从其他服务器请求数据,则可以转发您的请求。您的主要网站的服务器将充当代理。您需要向自己的服务器发出AJAX请求,然后服务器端代码会向其他域发出请求,然后通过AJAX调用响应将响应发送到您的脚本。
这是一种常见模式,在此处详细介绍为 Web代理模式和一个友好的雅虎一个这里(但记住它是雅虎具体的,只是总的想法)。但是,它是服务器端语言相关的。整体实现将是相同的,但是这样做的代码将根据您选择的服务器端语言(PHP,Ruby,Python,C等)而有所不同。某些语言已经具有支持这种模式的库/模块/ etc。
Flash(可能,非默认) Flash处于默认状态不支持跨域请求。您可以在Flash7 +中使用跨网域政策文件开启此功能,但强烈建议您使用此功能。 Java Applet(可能的,非默认的) ) Java也受到相同的原始策略的约束,但与此版本。 各种其他 hacks 这里还有其他的hack,但是他们通常需要你控制两端或者达成协议的通信标准。例如'window.name'hack。 其他解决方案
最佳解决方案
- CORS - 如果您信任第三方
- 网络代理 - 如果您没有
您自己网域上的网络代理可以允许您清理被检索的数据,它为您的用户提供最大的保护。然而,如果你做零卫生,它不比这里概述的任何方法更安全。如果你实现某种类型的web代理,请确保它的请求限制和从你想要的网站。否则,您将基本上创建一个开放代理,如果发现用户可能会滥用,并导致您陷入法律困难。 / p>
I am working on an web app for mobile, and jsonp is pretty cool for cross-domain request, but the API of server didn't support callback parameter. So I just can use json to fetch data from remote server.
I tried json in jQuery, seems it doesn't support cross-domain request. I tried raw ajax request function on safari, and it works good on cross-domain, so can I remove the limitation of cross-domain for json request in jQuery? (not jsonp, only json), and how to do it?
Or is there any alternative simple ajax library (cross-web browser) and can do json on cross-domain request.
Same Origin Policy
You are attempting to circumvent the Same Origin Policy. It is built into every browser and is not normally something you can or should want to disable/workaround/etc. It is a very important security contract between your site, the user, and the user's browser.
CORS (possible)
CORS allows your web server to tell browsers/clients that access to another domain is permissible. This is done by having the following HTTP header output by your web server
Access-Control-Allow-Origin: http://www.example.com
If you can not control your HTTP Headers, then you can not use CORS. Implementation of this is language/framework specific.
Please note that you should check to ensure browser compatibility as IE8/9 had limited support. Also be aware that this is a potential attack vector. It allows responses from 3rd party sites to execute XSS attacks if you use the response data irresponsibly.
JSONP(possible)
JSONP is a clever way to pass and fetch data between servers by dynamically adding a script tag with a src atrribute equal to "yoururl.com?<your parameter data>" to your page. It is the only legitimate way to accomplish such a feat without a web proxy (see below) or an applet (Flash/Java). However it does have its own security risks if you are not the provider of both ends of the request. Remember that JSONP allows the remote server to execute code within your context and you should be very careful who you give that power to.
"Vanilla" AJAX (not possible)
If you are not using the JSONP to fetch data then you are most likely attempting to use an AJAX request to fetch data. AJAX requests are also subjected to the Same Origin Policy. JavaScript libraries (e.g. jQuery, Prototype, Dojo, etc) can not circumvent this policy as base behavior for an Ajax Request. They can, however, support JSONP (which remember now, is not AJAX).
AJAX w/ Web Proxy (possible)
If you do want to request data from another server, you can forward your request. Your main site's server will be acting as a proxy. You will need to make an AJAX request to your own server, that server side code will then make a request to the other domain and then send the response to your script via the AJAX calls response.
This is a common pattern and it is detailed here as the Web Proxy Pattern and a pricture friendly Yahoo one here (but remember it's Yahoo specific, just take the general idea). It is however, server side language dependent. The overall implementation will be the same, however the code to do so will vary based on your server side language of choice (PHP, Ruby, Python, C, etc). Some languages will already have libraries/modules/etc to support such a pattern.
Flash (possible, non-default)
Flash in its default state does not support cross domain requests. It can be turned on in Flash7+ with cross-domain policy files, but is highly suggested against. Your script would have to interface w/ a Flash API wich would make the requests and return the data to your JavaScript.
Java Applet (possible, non-default)
Java is also subjected to the same origin policy, but has a similar work around to Flash as described here on its release.
Various other "hacks"
There are other hacks out there, but they generally require you to control both ends or have an agreed upon standard for communication. For example the 'window.name' hack. I don't suggest most of these methods.
Other Solutions
Another question similar to this has been asked. It outlines a few other methods that I did not cover: Ways to circumvent the same-origin policy
The Best Solutions
- CORS - if you trust the 3rd party
- Web Proxy - if you don't
A web proxy on your own domain can allow you to sanitize the data being retrieved, it offers your user's the most protection. However, if you do zero sanitation it is no more secure than any of the methods outlined here. If you do implement a web-proxy of some kind, make sure its requests are limited to and from the sites you wish. Else you will essentially be creating an open proxy, which could be abused by users if discovered and get you into legal trouble.
这篇关于jQuery - 如何删除跨域限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
