为什么不设置document.domain工作以允许对父域的AJAX请求? [英] Why doesn't setting document.domain work to allow AJAX requests to a parent domain?
问题描述
我有两个文件,domain.com/test2.php:
I have two files, domain.com/test2.php:
<div id="testDiv"></div>
<script src="http://domain.com/packages/jquery.js"></script>
<script>$("#testDiv").load("http://domain.com/test3.php", {var1:1, var2:2});</script>
和domain.com/test3.php:
and domain.com/test3.php:
<b>var1: <?php echo $var1; ?> , var2: <?php echo $var2; ?></b>
在这种情况下,domain.com/test2.php输出
var1:1,var2:2 ,但现在让我们说我想在子域中创建一个test2.php。要停止跨域脚本的问题,我将在sub.domain.com/test2.php的开头添加这个额外的行:
In this case domain.com/test2.php outputs
var1: 1 , var2: 2 as one would expect, but let's now say I want to make a test2.php in a subdomain. To stop problems with cross-domain scripting, I would add this extra line to the start of sub.domain.com/test2.php:
<script>document.domain = "domain.com";</script>
此额外行会停止显示跨网域错误,但现在文件不再输出< b> var1:1,var2:2 。为什么这是我如何解决这个问题?
This extra line stops the cross-domain error from showing up, but now the file no longer outputs var1: 1 , var2: 2. Why is this and how can I fix this?
推荐答案
document.domain 机制旨在允许帧之间的客户端侧通信,而不是客户端到服务器通信。如果您有一个框架包含来自 example.com 的页面,而另一个框架包含来自 foo.example.com 那么两者不能访问对方的DOM,除非后者将 document.domain 设置为 example.com 示例。
The document.domain mechanism is intended for allowing client-side communication between frames, rather than client-to-server communication. If you have one frame containing a page from example.com and another frame containing a page from foo.example.com then the two cannot access each other's DOM unless the latter sets document.domain to example.com as you showed in your example.
跨域AJAX请求的现代首选机制是 Cross -Origin资源共享或CORS。此机制涉及使目标资源返回指示允许跨域请求的特殊HTTP响应头。在您的方案中,您可以让 test3.php 返回以下HTTP响应标头:
The modern preferred mechanism for cross-domain AJAX requests is Cross-Origin Resource Sharing, or "CORS". This mechanism involves having the target resource return a special HTTP response header that indicates that cross-domain requests are allowed. In your scenario you'd make your test3.php return the following HTTP response header:
Access-Control-Allow-Origin: sub.domain.com
这样做如下:
header("Access-Control-Allow-Origin: sub.domain.com");
您也可以将此标头值设置为 * ,以允许来自任何来源的跨网域请求,但请注意,这将允许来自您不能控制的网站的请求。
You can also set this header value to just * in order to allow cross-domain requests from any origin, but be aware that this will allow requests from sites you don't control.
来自客户端JavaScript库的请求通常还包括不在CORS允许的标准集中的附加标题 X-Requested-With ,因此可能需要通过额外的响应标头显式允许此标头:
Requests from client-side JavaScript libraries often also include the additional header X-Requested-With that is not in the standard set allowed by CORS, so it may be necessary to explicitly allow this header via an additional response header:
Access-Control-Allow-Headers: X-Requested-With
CORS仅在现代浏览器中受支持。对于旧版浏览器,常见的惯例是使用 JSON-P ,这是一个骗子,利用一个服务器上的页面能够从另一个服务器加载和执行脚本文件。这种技术要求目标资源是一个有效的JavaScript程序,它调用页面中的一个函数,因此它不像CORS那样优雅和无缝,但它应该在支持JavaScript的任何浏览器中工作。
CORS is only supported in modern browsers. For older browsers the common convention is to use JSON-P, which is a trick exploiting the fact that a page on one server is able to load and execute a script file from another server. This technique requires that the target resource be a valid JavaScript program that calls a function in the page, so it's not as elegant and seamless as CORS but it should work in any browser that supports JavaScript.
这篇关于为什么不设置document.domain工作以允许对父域的AJAX请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
