如何规避第三方https网站的同源政策？ [英] How to circumvent same-origin policy for a 3rd party https site?

问题描述

我有一个 http：// 网站，需要访问在 https：// 网站。我已经阅读了规避同源政策的方法，但似乎那里描述的方法不适合我：

I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy, but it seems the methods described there aren't appropriate for me:

1. document.domain方法 - 仅限适用于子域。


2. 跨源资源共享方法 - 需要服务器合作。


3. 窗口.postMessage方法 - 似乎需要打开一个弹出窗口？


4. 反向代理方法 - 一种可能的解决方案，但似乎有点太难了安装。


5. http://anyorigin.com - 似乎不支持SSL。

1. The document.domain method - only works on subdomains.
2. The Cross-Origin Resource Sharing method - requires server cooperation.
3. The window.postMessage method - seems to require opening a popup window?
4. The Reverse Proxy method - A possible solution, but seems a bit too hard to setup.
5. http://anyorigin.com - seems to not support SSL.

这是吗？我必须实现解决方案4，这似乎相当复杂，或者我错过了什么？

Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?

推荐答案

抱歉，似乎anyorigin.com 支持支持https。

Sorry, it seems that anyorigin.com does support https.

我天真以为它没有的原因是因为有问题的API 返回JSON，我想我实际上只是得到一个纯文本响应（就像我在使用anyorigin.com的测试中一样）在google.com上）。当它只返回一个对象时，我发现有些东西被打破了。

The reason I naively thought it doesn't, is because the API in question returns JSON, and I thought I would actually just get a plain text response (as in my tests with using anyorigin.com on google.com). When it returned just an object, I figured something was broken.

看来对象只返回解析后的JSON ，所以我很高兴！

It appears the object simply returns the parsed JSON, so I'm good to go!

更新 - anyorigin.com在我发布这个网站几周后停止了对某些https网站的工作，所以我继续写了 whateverorigin.org ，这是anyorigin的开源替代品。

Update - anyorigin.com stopped working with some https sites a few weeks after I posted this, so I went ahead and wrote whateverorigin.org, an open source alternative to anyorigin.

这篇关于如何规避第三方https网站的同源政策？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！