从父域到子域的JavaScript访问? [英] JavaScript access from parent domain to subdomain?
问题描述
我已阅读设置 document.domain =example.com允许我从子域访问父域。
$
假设我的主网站运行在 http://example.com
em>。我想通过AJAX(GET& POST)访问的所有API函数都托管在http:// api .example.com 上。我可以从 example.com 访问 api.example.com 吗?
编辑:再次查看 document.domain 这将解决问题。调用 api .example.com 的结果不是必需的HTML,而是从API服务器上运行的PHP脚本中输出的结果。它可以是JSON,纯文本等,所以没有办法设置 document.domain (因为它不是一个iframe)。
或者在您的服务器上设置CORS头文件:
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
CORS快速概述
Firefox 3.5和Safari 4使用
CORS规范.mozilla.org / En / XMLHttpRequestrel =nofollow> XMLHttpRequest 作为API容器
,代表
网络发送和接收
合适的标头开发人员,从而允许
跨站点请求。 IE8实现CORS规范的
部分,使用
XDomainRequest 作为CORS的类似API
容器,实现简单的
跨站点GET和POST请求。
值得注意的是,这些浏览器发送
ORIGIN头,它提供了
方案(http://或https://)和
域
跨站点请求。服务器开发人员
必须确保他们发送
正确的头,特别是
Access-Control-Allow-Origin头为
ORIGIN有问题(或*
所有域,如果资源是
public)。
CORS标准通过添加新的
HTTP头,允许服务器
将资源提供给允许的来源
域。浏览器支持这些
头文件并强制它们建立的限制
。此外,对于HTTP
请求方法,可以导致
对用户数据的副作用(在
特别是,对于HTTP方法其他
不是GET,或对于POST使用
某些MIME类型),规范
强制浏览器preflight
请求,使用HTTP OPTIONS
请求头从服务器请求支持的方法
,然后,
从服务器批准,发送
实际请求与实际的
HTTP请求方法。服务器还可以
通知客户端是否应该向请求发送
的credentials
(包括Cookie和HTTP
验证数据)。
I've read that setting document.domain = "example.com" lets me access the parent domain from a subdomain.
Will the same work the other way around?
Let's say my main site is running under http://example.com. All API functions that I want to access via AJAX (GET & POST) are hosted on http://api.example.com.
Will I be able to access api.example.com from example.com?
EDIT: Looking at document.domain again, I don't think that this will solve the problem. The result from calls to api.example.com are not necessary HTML, but output from a PHP script running on the API server. It can be JSON, plain text, etc. so there's no way to set document.domain for that (since it's not an iframe).
You need to set document.domain on BOTH pages
Alternatively set CORS headers on your server:
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
A Quick Overview of CORS
Firefox 3.5 and Safari 4 implement the CORS specification, using XMLHttpRequest as an "API container" that sends and receives the appropriate headers on behalf of the web developer, thus allowing cross-site requests. IE8 implements part of the CORS specification, using XDomainRequest as a similar "API container" for CORS, enabling simple cross-site GET and POST requests. Notably, these browsers send the ORIGIN header, which provides the scheme (http:// or https://) and the domain of the page that is making the cross-site request. Server developers have to ensure that they send the right headers back, notably the Access-Control-Allow-Origin header for the ORIGIN in question (or " * " for all domains, if the resource is public) .
The CORS standard works by adding new HTTP headers that allow servers to serve resources to permitted origin domains. Browsers support these headers and enforce the restrictions they establish. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.
这篇关于从父域到子域的JavaScript访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
