XMLHttpRequest跨站点脚本在同一服务器上但在不同端口上 [英] XMLHttpRequest cross site scripting on same server but different port

问题描述

使用XMLHttpRequest不能打开与页面本身所在的域不同的域上的文档的连接.

using XMLHttpRequest it is not possible to open a connection to a document on a different domain than where the page itself is hosted.

但是不同的端口呢?

例如，我的机器上运行着一个Web服务器，侦听端口80，因此Web地址应如下所示:

for example I have a webserver running on my machine listening on port 80 so the webaddress would look like this:

http://localhost:80/mypage.html

，我还有一个在本地主机上运行的网络服务器，该服务器用于处理ajax请求，但侦听其他端口.因此mypage.html中的javascript看起来像这样:

and I have another webserver running on localhost which is meant to process the ajax requests but listens on a different port. so the javascript in mypage.html would look like this:

var xmlhttprequest = new XMLHttpRequest(); 
xmlhttp.open("GET", "http://localhost:1234/?parameters", true); 
xmlhttp.send();

这项工作吗?还是会给出安全例外?

would this work? or will it give a security exception as well?

推荐答案

使用其他端口确实算作跨站点脚本.

Using a different port does indeed count as cross-site scripting.

有几种众所周知的拨打电话(您始终可以发送数据)和使用响应(在抗xss约束下通常无法执行的操作)的方法，包括

There are several well-known ways to make a call (you can always send the data) and use the response (which is what you cannot normally do under anti-xss constraints), including JSONP and using an iframe in the page to load the data.

这篇关于XMLHttpRequest跨站点脚本在同一服务器上但在不同端口上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！