AJAX,子域和SSL [英] AJAX, Subdomains, and SSL
问题描述
我有一个网站,foo.com,这使得AJAX请求bar.foo.com。将这项工作。
I have a site, foo.com, that makes ajax requests to bar.foo.com. Will this work.
此外,如果foo是一个安全的连接,HTTPS,并bar.foo.com需要的https太?这两个网站可以使用不同的证书?
Also, if foo is a secure connection, https, does bar.foo.com need to be https too? Can these two sites use different certificates?
推荐答案
通过纯HTTP AJAX:你说的是做跨域XMLHtt prequest,这是浏览器不容许的。有一个 W3C建议未决,以在未来一个安全的方式实施这一(部分由IE8,IIRC实现),但它绝对不可能在present。
With plain-http AJAX: You are talking about doing cross-domain XMLHttpRequest, which is not permitted by browsers. There's a W3C proposal pending to implement this in a secure way in the future (partially implemented by IE8, IIRC), but it's definitely not possible at present.
有,但是,解决方法做安全:子空间(它使用内置页框和 document.domain的),在片段标识符技术(再次,使用内置页框)和 window.name 技术的(再次,内置页框!)。
There are, however, workarounds for doing it securely: Subspace (which uses iframes and document.domain), the fragment identifier technique (again, uses iframes) and window.name technique (again, iframes!).
据SSL的推移,你可以买到,涵盖他们的域和子域,或有一个通配符(* .foo.com)证书单独的合格证书(自然,通配符证书会更贵)。
As far as SSL goes, you can buy separate certificates for the domain and subdomain, or a single wildcard (*.foo.com) cert that covers them both (naturally, the wildcard cert will be more expensive).
如果你有一个HTTPS页面请求的项目,从其他领域,一切都会好起来,只要一切都是HTTPS。这意味着,如果你使用的iframe解决方法之一,您必须指定一个 HTTPS:在的src 方案网址C> iframe的属性。
If you have an HTTPS page that requests items from other domains, all will be well as long as everything is HTTPS. That means that if you use one of the iframe workarounds, you have to specify an https:// scheme URL in the src attribute of the iframe.
最后,效率较低,解决方法是对 https://foo.com 一个脚本,请求代理不安全 HTTP:/ /bar.foo.com 。 (这也解决了XHR跨域问题,这样你就可以忽略其他解决方法。)当然,这意味着你要发送的XHR请求 https://foo.com/someurl ,它然后按 http://bar.foo.com/someurl ,接收响应并将其发送回浏览器,因此性能明智的你再好得多只是移动bar.foo.com的服务器端功能到foo.com,如果你有这样的选择。但是,如果你不能移动服务器脚本,然后代理是要走的路。
A final, less efficient, workaround is to have a script on https://foo.com that proxies requests to insecure http://bar.foo.com. (This also solves the XHR cross-domain problem, so you can ignore the other workarounds.) Of course, that means you're sending the XHR request to https://foo.com/someurl, it's then hitting http://bar.foo.com/someurl, receiving the response and sending it back to the browser, so performance-wise you're much better off just moving the server-side functionality of bar.foo.com onto foo.com, if you have that option. But if you can't move the server script, then proxying is the way to go.
编辑:我改变了过去3 grafs做一些额外的测试,并获得一个iframe AJAX的解决方法(在#fragmentidentifier一个)跨不同的HTTPS域中工作岗位。您的可以的操作使用内置页框,只要一切都是SSL跨域AJAX HTTPS 和 HTTPS 方案用于在iframe 的src 。总结:
I changed the last 3 grafs after doing some extra testing and getting an iframe AJAX workaround (the #fragmentidentifier one) to work across different HTTPS domains. You can do SSL cross-domain AJAX using iframes as long as everything is https and the https scheme is used in the iframe src. Summarizing:
- 在简短的回答:没有,真正的跨域XHR不允许
- 与解决方法 内置页框:更高效,需要2 SSL 证书(或通配符证书),有点 复杂的
- 解决方法与代理: 效率较低,可以被1或2做 SSL证书(1通过HTTP后台请求bar.foo.com),有些复杂
- Short answer: no, true cross-domain XHR not allowed
- Workaround with iframes: more efficient, need 2 SSL certs (or wildcard cert), somewhat complicated
- Workaround with proxy: less efficient, can do with 1 or 2 SSL certs (1 with backend request to bar.foo.com via http), somewhat complicated
这篇关于AJAX,子域和SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
