AJAX、子域和 SSL [英] AJAX, Subdomains, and SSL

问题描述

我有一个站点 foo.com，它向 bar.foo.com 发出 ajax 请求.这行得通吗.

另外，如果 foo 是安全连接 https，那么 bar.foo.com 是否也需要是 https?这两个网站可以使用不同的证书吗?

解决方案

使用纯 http AJAX:您正在谈论执行跨域 XMLHttpRequest，这是浏览器不允许的.有一个 W3C 提案待定 以在未来以安全的方式实现这一点(部分由 IE8、IIRC 实现)，但目前绝对不可能.

但是，有一些安全的解决方法:Subspace(使用 iframe 和 document.domain)，片段标识符技术(再次使用 iframe)和 window.name 技术(再次，iframes！).

就 SSL 而言，您可以为域和子域购买单独的证书，或涵盖它们的单个通配符 (*.foo.com) 证书(自然，通配符证书会更贵).

如果您有一个 HTTPS 页面从其他域请求项目，只要一切都是 HTTPS，一切都会好起来的.这意味着，如果您使用 iframe 解决方法之一，则必须在 iframe 的 src 属性中指定一个 https:// 方案 URL.

最后一个效率较低的解决方法是在 https://foo.com 上安装一个脚本来代理对不安全的 http://bar.foo.com 的请求>.(这也解决了 XHR 跨域问题，因此您可以忽略其他解决方法.)当然，这意味着您将 XHR 请求发送到 https://foo.com/someurl，然后点击 http://bar.foo.com/someurl，接收响应并将其发送回浏览器，因此在性能方面，您最好只移动服务器端功能bar.foo.com 到 foo.com，如果你有那个选项.但是如果你不能移动服务器脚本，那么代理就是要走的路.

在做了一些额外的测试并获得 iframe AJAX 解决方法(#fragmentidentifier 一个)以在不同的 HTTPS 域中工作后，我更改了最后 3 个 Graf.您可以使用 iframe 进行 SSL 跨域 AJAX，只要所有内容都是 https 并且在 iframe src 中使用 https 方案.总结:

1. 简短回答:不，不允许真正的跨域 XHR
2. 解决方法iframes:更高效，需要 2 个 SSL证书(或通配符证书)，有点复杂
3. 使用代理的解决方法:效率较低，可以使用 1 或 2SSL 证书(1 个通过 http 向 bar.foo.com 发出后端请求)，有点复杂

I have a site, foo.com, that makes ajax requests to bar.foo.com. Will this work.

Also, if foo is a secure connection, https, does bar.foo.com need to be https too? Can these two sites use different certificates?

解决方案

With plain-http AJAX: You are talking about doing cross-domain XMLHttpRequest, which is not permitted by browsers. There's a W3C proposal pending to implement this in a secure way in the future (partially implemented by IE8, IIRC), but it's definitely not possible at present.

There are, however, workarounds for doing it securely: Subspace (which uses iframes and document.domain), the fragment identifier technique (again, uses iframes) and window.name technique (again, iframes!).

As far as SSL goes, you can buy separate certificates for the domain and subdomain, or a single wildcard (*.foo.com) cert that covers them both (naturally, the wildcard cert will be more expensive).

If you have an HTTPS page that requests items from other domains, all will be well as long as everything is HTTPS. That means that if you use one of the iframe workarounds, you have to specify an https:// scheme URL in the src attribute of the iframe.

A final, less efficient, workaround is to have a script on https://foo.com that proxies requests to insecure http://bar.foo.com. (This also solves the XHR cross-domain problem, so you can ignore the other workarounds.) Of course, that means you're sending the XHR request to https://foo.com/someurl, it's then hitting http://bar.foo.com/someurl, receiving the response and sending it back to the browser, so performance-wise you're much better off just moving the server-side functionality of bar.foo.com onto foo.com, if you have that option. But if you can't move the server script, then proxying is the way to go.

EDIT: I changed the last 3 grafs after doing some extra testing and getting an iframe AJAX workaround (the #fragmentidentifier one) to work across different HTTPS domains. You can do SSL cross-domain AJAX using iframes as long as everything is https and the https scheme is used in the iframe src. Summarizing:

1. Short answer: no, true cross-domain XHR not allowed
2. Workaround with iframes: more efficient, need 2 SSL certs (or wildcard cert), somewhat complicated
3. Workaround with proxy: less efficient, can do with 1 or 2 SSL certs (1 with backend request to bar.foo.com via http), somewhat complicated

这篇关于AJAX、子域和 SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！