为什么有些跨域JSON请求会失败,但有些则不然? [英] Why do some cross-domain JSON-requests fail but others don't?
问题描述
我在理解围绕JSON的安全性方面遇到了一些麻烦,因为理论上通常不应该起作用的东西,似乎就是这样。 AFAIK,来自驻留在域A上的页面上的脚本的调用,不应该能够从域B接收数据。但是在下面的代码中,对一个外部域的调用失败,而另一个外部域的调用失败。并且都没有打包JSON调用(jsonp)。
I have a little trouble understanding the security bit around JSON, because often things that in theory should not work, seemingly do. AFAIK, calls from a script on a page that resides on domain A, are not supposed to be able receive data from a domain B. But in the code below the calls to one external domain fail, whereas another goes through. And neither one are packed JSON calls (jsonp).
为什么会这样?不应该两个都不允许通过浏览器安全检查?我在Chrome和Firefox中获得了相同的结果。如果我在dropbox.com上托管以下html页面,则Chrome会向我显示以下错误消息:
Why is this? Should not both be disallowed from getting through the browser security checks? I get the same results in Chrome and Firefox. If I host the below html-page on dropbox.com, Chrome gives me this error message:
XMLHttpRequest无法加载
< a href =http://www.odinfond.no/rest/fund/calc/fundReturn?&id=300&oneTimeInvestment=100000&oneTimeInvestmentDate=2009-11-01&endDate=2010-11-01¤cy= NOKrel =nofollow> http://www.odinfond.no/rest/fund/calc/fundReturn?&id=300&oneTimeInvestment=100000&oneTimeInvestmentDate=2009-11-01&endDate=2010-11- 01安培;货币= NOK 。
来源 http://dl.dropbox.com 不是
允许
Access-Control-Allow-Origin。
XMLHttpRequest cannot load http://www.odinfond.no/rest/fund/calc/fundReturn?&id=300&oneTimeInvestment=100000&oneTimeInvestmentDate=2009-11-01&endDate=2010-11-01¤cy=NOK. Origin http://dl.dropbox.com is not allowed by Access-Control-Allow-Origin.
通过点击<可以看到通过该呼叫我可能得到的JSON响应a href =http://www.odinfond.no/rest/fund/calc/fundReturn?&id=300&oneTimeInvestment=100000&oneTimeInvestmentDate=2009-11-01&endDate=2010-11-01¤cy= NOKrel =nofollow>此直接链接。对其他服务的调用成功返回。我在dropbox上托管以下代码。 在此处试用。
The JSON response I would have gotten if the call went through can be seen by clicking this direct link. The call to the other service returns successfully. I host the below code on dropbox. Try it out here.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
<title>JSON/JSONP test</title>
<script src="jquery.js" type="text/javascript"></script>
</head>
<body>
<script>
service = 'http://www.odinfond.no/rest/fund/calc/fundReturn?';
parameters = {
id: '300',
oneTimeInvestment:'100000',
oneTimeInvestmentDate:'2009-11-01',
endDate:'2010-11-01',
currency:'NOK'
}
$.getJSON( service, parameters, function(data) {
alert("Success");
});
service = 'http://ws.geonames.org/postalCodeLookupJSON?'
parameters = {
postalcode:1540,
country:'NO'
}
$.getJSON(service, parameters, function(data) {
alert(data.postalcodes[0].adminName2);
});
</script>
<p>Use Firebug to see JSON response</p>
</body>
</html>
推荐答案
您会注意到工作请求有响应标题:
You'll notice that the working request has a response header:
Access-Control-Allow-Origin: *
这就是释放浏览器以使响应可用于脚本的原因。 (请注意,请求始终,相同的原始策略仅影响脚本是否可以访问响应)
This is what frees up the browser to make the response available to the script. (Note that the request is always made, the same origin policy only affects whether the response is accessible to the script or not)
如果'*'是主机名,仅当当前文档的主机名与 Access匹配时才允许访问-Control-Allow-Origin 标题
If the '*' is a hostname, access is only allowed if the current document's hostname matches the Access-Control-Allow-Origin header
这篇关于为什么有些跨域JSON请求会失败,但有些则不然?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
