覆盖跨域请求的XMLHttpRequest [英] Overriden XMLHttpRequest for cross-domain requests
问题描述
我想知道是否有一个JavaScript库,它覆盖 XMLHttpRequest 并允许透明地处理所有跨域请求并通过我的同源服务器无缝转发它们-side proxy。
I'm wondering if there is a JavaScript library, which overrides XMLHttpRequest and allows to transparently handle all cross-domain requests and seamlessly forward them over my same-origin server-side proxy.
我想要的是一个通用的解决方案,可以与任何 JavaScript库一起使用来制作跨域请求(例如,使用跨域 jQuery.ajax())。
What I want is to have a common solution, which could be used together with any JavaScript library to make cross-domain requests (e.g. with cross-domain jQuery.ajax()).
使用此类库是否有任何缺点(安全问题,HTTPS访问等)?
Are there any drawbacks to use such library (security problems, HTTPS access, etc.)?
更新:
如果这个库已经由某人创建,那么我只是不想重新发明轮子并再次处理所有极端情况。
If such library is already created by someone, than I just do not want to reinvent the wheel and handle all corner cases again.
推荐答案
如果您只是需要将每个请求重定向到特定代理,您可以自己编写,有些内容为
If you just need to redirect every request to a specific proxy you could simply write it yourself, something in the lines of
XMLHttpRequest.prototype.oldOpen = XMLHttpRequest.prototype.open;
var newOpen = function(args) {
//overwrite arguments changing the original url to the proxy one,
//and add a parameter/header to send the original url to the proxy
this.oldOpen(args);
}
XMLHttpRequest.prototype.open = newOpen;
由于代理位于同一个域中(如果您想允许x-domain代理请求,只需添加Access-Control-Allow-Origin标头),它不会被发送远程域的任何cookie(无论如何你都不会拥有它们,因为x-domains cookie被阻止 - 只要你不进入该字段标题为Access-Control-Allow-Credentials。
Since the proxy is in the same domain (if you want to allow x-domain proxy requests, just add the Access-Control-Allow-Origin header), it will not be sent any cookie of the remote domain (you won't have them anyway, since x-domains cookies are blocked - as long as you don't enter the field with the header Access-Control-Allow-Credentials).
一些安全隐患相当明显:
Some security implications are rather obvious:
- 您正在代理请求,因此代理本身可以访问所有内容,无论加密如何
- 将要求代理进行HTTPS处理(如果远程URL是安全的,并且客户端将无法(或者,另一方面,如果需要代理)将不需要直接验证服务器证书
更复杂(相同的域,完全支持cookie)代理实现甚至可以为跨域请求提供基本会话处理重写标题:
A more complex (same domain, to fully support cookies) proxy implementation could even provide basic session handling for cross domain requests rewriting the headers:
- 来自 www.mydomain的客户请求 www.remotedomain.com/querystring 没有cookie的.com
- 请求被重写为 proxy.mydomain.com/www.remotedomain.com/querystring
-
代理向 www.remotedomain.com/querystring 发出请求,并以标题回复
- Client requests www.remotedomain.com/querystring from www.mydomain.com without cookies
- Request is rewritten as proxy.mydomain.com/www.remotedomain.com/querystring
The proxy makes a request to www.remotedomain.com/querystring which responds with the header
Set-Cookie:name = value;路径= /;到期日,星期一,2012年12月31日23:59:59 GMT
Set-Cookie: name=value; path=/; expires Mon, 31-Dec-2012 23:59:59 GMT
客户端收到回复的标题
Set-Cookie:name = value;路径= / www.remotedomain.com;到期日,2012年12月31日星期一23:59:59 GMT
Set-Cookie: name=value; path=/www.remotedomain.com; expires Mon, 31-Dec-2012 23:59:59 GMT
在下一个请求中,客户端将发送cookie ,代理只会将它们转发给远程服务
On the next request the client will send the cookie, and the proxy will just forward them to the remote service
但我可能已经离题太多了。 :)
But I'm probably digressing too much. :)
这篇关于覆盖跨域请求的XMLHttpRequest的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
