Cordova或Phonegap Http请求和同源策略问题 [英] Cordova or Phonegap Http Requests and Same Origin Policy Problems
问题描述
正如许多其他人一样,我遇到了我们正在调用的RESTful服务的问题。
As so many others I have the problem with a RESTful service we are calling.
这项服务和其他许多人一样都有ORIGIN检查。使用Cordova& Ionic执行来自Android应用程序的请求将原点设置为file://这对于浏览器cors检查有利但对服务不利,它们不允许此架构用于源。与其他人一样,只允许空原点或同一来源。
This service as so many others has an ORIGIN check. Using Cordova & Ionic doing the request from android app set the origin to file:// which is good for browser cors check but not good for the service, they doesn't allow this schema for origin. As others the allow only empty origin or the same origin.
在很多帖子中,我读过你写的白板插件或CSP。但我认为这绝对是错误的。使用白名单,您无法使用原始标题,而CSP与它无关。
On many posts I read the wrote you can handle this with whitelist plugin or with CSP. But I think this absolutly incorrect. With whitelist you can not work on the origin header and CSP has nothing to do with it.
所以过去几天我花了数百小时搜索并测试了不同的解决方案和不同的插件。但解决方案不存在并且不简单。
So the last few days I spend hundreds of hours and googled and tested different solutions and different plugins. But the solution is not there and not simple.
目前我正在测试用于http和websocket请求的cordova插件,进行本机http和websocket调用,这是为SOP问题工作很好,但是有一些问题。
我试图在Custom WebView上找到一个解决方案,我们可以从请求中获取Origin头,但这对我们来说很难。
At the moment I'm testing cordova plugins for http and websocket requests, to do native http and websocket calls, this is working great for the SOP problem but there are some problems with cookies. I tryied to found a solution on a Custom WebView where we can elimante the Origin header from request but this was to difficult for us.
有人可以提供帮助这个问题?
Can someone help on this problem?
我不是唯一一个必须通过互联网从移动混合应用程序调用SOP保护资源的人。为什么没有简单的解决方案呢?
I'm not the only guy which has to call a SOP protected resource over the internet from a mobile hybrid app. Why there is no simple solution for it?
编辑:
我在cordova上为它创建了一个问题 https://issues.apache.org/jira/browse/CB-13194
推荐答案
在这种情况下,你不是要调整服务器端 CORS处理吗?我相信你已经在搜索中看到了它,但 https://enable-cors.org/ server.html 。
In such a case, aren't you looking to adjust the server-side CORS handling? I'm sure you've seen it in your searching, but https://enable-cors.org/server.html.
您不能/不应该从发出请求的客户端(有效欺骗)更改请求的来源。如果无法更改服务器上的CORS设置,您可能需要查看将您的请求代理到您控制的服务器,然后将其添加到目标受保护资源的允许来源列表中。
You can't/shouldn't be able to change the origin of the request from the client making the request (effectively spoofing). If changing the CORS settings at the server is not an option, you may need to look at proxying your requests to a server you control, which can then be added to the list of allowed origins on the target protected resources.
这篇关于Cordova或Phonegap Http请求和同源策略问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
