如何从 Sharepoint Web 部件进行跨域 AJAX POST 调用?
我需要像 POST 调用一样调用 (HTTP) REST API - 基本上,它允许我向论坛/社区发布消息。
由于目前无法通过 API 进行身份验证,因此我需要依赖浏览器 cookie。即,让用户登录社区,然后使用 API 调用。这意味着服务器代理被排除。
由于它是 POST 调用,因此即使 API 服务器支持,JSONP 也被排除在外。
所以这个 POST 调用需要 100% javascript。
该 JS 最终将成为 Sharepoint 中 Web 部件的一部分,因此我真的不想使用 iframe 将其复杂化。
出色地?
I need to call a (HTTP) REST API as as POST call - basically, it allows me to post a message to a forum/community.
Since, there is currently no way of authenticating over the API, I need to depend on browser cookies. ie, have the user logged in to the community and then use the API calls. This means, server proxies are ruled out.
And because its a POST call, JSONP is also ruled out, even if it were supported by the API's server.
So this POST call needs to be 100% javascript.
This JS will end up being part of a Webpart in Sharepoint so I don't really want to complicate it with iframes.
Well?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
执行跨域 POST 的唯一方法是编写一个表单脚本:
由于同源策略,您将无法读取 iframe 中的响应,但将进行 POST。
任何知道自己在做什么的论坛都会拒绝此请求。否则,任何访问第三方网站的人都可能会违背自己的意愿自动在论坛上发帖。这称为跨站点请求伪造 (XSRF),是一个长期存在的网络安全问题。大多数论坛管理员会认为上述代码是敌对的。
安全论坛使用“反 XSRF”每次操作令牌来防止上述情况,本质上要求从网站本身的表单而不是从第三方网站发布帖子。由于您无法读取跨域包含的文档,因此您无法捏取令牌,因此无法授权帖子。
The only way to do a cross-domain POST is to script a form:
You won't be able to read the response in the iframe due to the Same Origin Policy, but the POST will be made.
Any forum that knows what it's doing will reject this request. Otherwise, anyone who visited a third-party site could be made to automatically post to the forum against their will. This is known as cross-site request forgery (XSRF) and is a perennial web security problem. Most forum administrators would consider the above code hostile.
Secure forums use an ‘anti-XSRF’ per-action token to prevent the above, essentially requiring that postings be made from the form on the site itself and not from a third-party site. Since you can't read the document included cross-domain, you can't pinch the token so can't authorise a post.