为什么我会收到“安全错误”?通过HTTPS上传时从IE8 / IE9上的plupload? [英] Why am I getting a "Security Error" from plupload on IE8/IE9 when uploading over HTTPS?
问题描述
我正在使用plupload将文件上传到ASP.NET WebAPI服务。它在Chrome中运行良好,它在我的开发机器上的IE8 / IE9中运行良好。但是,当我连接到实际服务器上的网站时,上传文件会导致plupload的错误处理程序触发,错误代码为-400,错误消息为安全错误。
I'm using plupload to upload files to an ASP.NET WebAPI service. It works fine in Chrome, and it works fine in IE8/IE9 on my development machine. When I connect to the website on the actual server, however, uploading a file causes plupload's error handler to fire with an error code of -400 and an error message of "Security Error."
查看响应和请求标题一切正常。响应甚至包含正确的返回值!我猜这与使用https有关,但我不确定它在Chrome中是否正常工作。 (Firefox有一个完全不同的问题,但似乎至少得到了与IE不同的数据。)
Looking at the response and request headers everything looks ok. The response even contains the correct return value! I'm guessing this has something to do with using https, but I'm not sure and it does work correctly in Chrome. (Firefox has a completely different issue, but seems to at least get the data back unlike IE.)
我想知道它与请求Accept头有关,这是:
I'm wondering it has something to do with the request Accept header, which is:
Accept application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
响应头的Content-Type是text / html,因为application / json导致IE想要保存响应而不是将其传递回脚本。
The response header's Content-Type is text/html because application/json causes IE to want to save the response rather than pass it back to the script.
那么这个安全错误是什么?为什么我会得到它?更重要的是,为什么我得到它,即使响应似乎正确回归?更重要的是,我该如何解决?
So what is this "Security Error" and why am I getting it? More importantly why am I getting it even though the response seems to be coming back correctly? Even more importantly, how do I fix it?
编辑:好的,更多信息。显然,IE9使用html4运行时进行plupload,它使用iframe来处理文件上传。当数据返回并且它尝试访问HTMLIFrameElement时,IE9会出现访问被拒绝错误。我理解这有助于防止xss错误,但似乎从iframe读取应该是安全的...
OK, so more information. Apparently IE9 uses the html4 runtime for plupload, which uses an iframe to handle the file upload. When the data returns and it tries to access the HTMLIFrameElement IE9 gives an "Access is denied" error. I understand it's to help prevent xss errors, BUT it seems like reading from an iframe should be safe...
所以有人知道解决方法吗?
So anyone know a way around it?
推荐答案
事实证明,IE8和IE9都使用plupload的HTML4运行时,而不是HTML5运行时。 HTML4正常运行时间通过呈现隐藏的iframe来处理上传。这里的问题是IE8 / 9禁止访问该iframe以防止XSS攻击,因此当plupload尝试读取上传结果时,我们会收到该安全错误。
It turns out that both IE8 and IE9 use plupload's HTML4 runtime, rather than the HTML5 runtime. The HTML4 uptime works by rendering a hidden iframe in order to handle the upload. The problem here is that IE8/9 disallow access to that iframe in order to prevent XSS attacks, so when plupload tries to read the result of the upload we get that security error.
解决方案基本上是为了使Web服务与调用它的页面保持相同的URL。在我的例子中,我刚刚在IIS中配置了一个指向Web服务站点的虚拟应用程序(它恰好位于同一台服务器上,但我认为它也适用于两台不同的服务器。)
The solution is basically to keep the web service available at the same URL as the page calling it. In my case, I just configured a virtual application in IIS that points at the web services site (which happen to be on the same server, but I think it can work with two different servers as well.)
在同一站点中创建虚拟应用程序允许您在仍然从辅助站点获取内容时引用主站点的URL。
Creating a virtual application in the same site allows you to refer to the primary site's URL while still getting content from the secondary site.
这篇关于为什么我会收到“安全错误”?通过HTTPS上传时从IE8 / IE9上的plupload?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
