网址中带有和不带有 www 的 Access-Control-Allow-Origin 问题 [英] Access-Control-Allow-Origin issue with and without www in url

问题描述

我制作了一个小的gwt应用程序并发布了它，但今天我发现了一个严重的问题.我知道同源策略问题，所以我将我的 gwt 应用程序和 rest json 应用程序放在同一台服务器上.但显然浏览器不考虑 http://www.xyz.com 和 http://xyz.com 作为相同的来源，因此当用户登陆 www.xyz.com 时，他无法从 http://xyz.com.

I've made a small gwt app and released it, but today I found a serious problem. I was aware of the same origin policy issue so I've put my gwt app and rest json app on the same server. But apparently browsers doesn't regard http://www.xyz.com and http://xyz.com as the same source so when a user lands on a www.xyz.com he can't get data from http://xyz.com.

这是消息:

XMLHttpRequest cannot load http://xyz.com/backend/... 
Origin http://www.xyz.com is not allowed by Access-Control-Allow-Origin.

处理这个问题的最佳方法是什么?我用谷歌搜索并首先找到了不适用于 tomcat 的 .htaccess 解决方案.我最终使用了一个空的登陆页面 index.html，只重定向到没有 www 的 url.这不是最好的解决方案，因为有人仍然可以输入带有 www 的 url，这不会索引页面，因此它不会被重定向.

What is the best way to deal with this? I've googled and first found .htaccess solution which doesn't work for tomcat. I ended up using a empty landing page index.html with only redirect to url without www in it. It's not the best solution because someone can still type in url with www which is not going to index page so it wont get redirected.

任何帮助将不胜感激.

推荐答案

除非绝对必要，否则不应在应用中使用绝对 URL.

You shouldn't use absolute URLs in your app unless absolutely necessary.

即如果应用程序可以从 http://www.example.com.

I.e. you should have "http://example.com" in your code if the app can be loaded from http://www.example.com.

例如，如果您想从中加载一些数据，例如http://example.com/abc/def，然后将 "/abc/def" 放入你的代码，不是 "http://example.com/abc/def".这样，浏览器会将 URL 解析为 http://www.example.com/abc/def，如果应用已从 http://www.example.com 或 http://example.com/abc/def 如果它是从 http://example.com 加载的.而且您永远不会冒险违反同源政策.

For instance, if you want to load some data from, e.g. http://example.com/abc/def, then put "/abc/def" in your code, not "http://example.com/abc/def". That way, the browser will resolve the URL to either http://www.example.com/abc/def if the app has been loaded from http://www.example.com, or to http://example.com/abc/def if it's been loaded from http://example.com. And you never risk to hit the Same-Origin Policy.

这篇关于网址中带有和不带有 www 的 Access-Control-Allow-Origin 问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！