跨域请求本地主机

发布于 2024-10-03 14:43:50 字数 1029 浏览 1 评论 0原文

免责声明:我已经研究过各种方法来解决我的问题,因此请先阅读此内容,然后再将其标记为重复问题

我在 https://xyz 上运行 JavaScript .com 必须从用户本地计算机(例如端口 8080)上运行的应用程序 ABC 检索信息。

我的限制是我无法修改从 发出的 HTTP 标头>ABC 我也不希望用户安装另一个应用程序,该应用程序将成为将我的请求路由到 ABC 的管道。

跨域/窗口消息传递选项< /strong>

a) window.postMessage: 已排除,因为我无法在本地计算机上运行脚本
b) XDR 对象 (IE) 或 Access-Control-Allow-Origin(Firefox、Safari 等): 已排除,因为我无法修改标头
c) JSONP: 同样,这将不起作用,因为我无法将响应包含在函数名称中

作为一种解决方法,仅用于测试,我添加了 http:// /xyz.com 添加到受信任列表,并已为此列表中的网站启用跨域访问数据。 AFAIK,此选项仅在 IE 5+ 浏览器上可用。此解决方法允许我从 http://127.0.0.1:8080
发送和接收消息 alt text

我的问题有两个
1)如果我在投入生产时继续采用上述方法,我会让用户面临哪些安全隐患?我可以堵住这些漏洞吗?
2) 是否还有其他选择可以实现我的目标。

PS:我希望尽可能远离 ActiveX 或 Flash,但以防万一这是唯一的选择我当前方法的可行替代方案那么我将不得不遵守规则

干杯

DISCLAIMER: I've already looked at various approaches to solve my issue, so please read this before labeling this as a duplicate question

I have a javascript running on https://xyz.com which has to retrieve information from an application ABC running on the user's local machine say port 8080.

My constraints are that I cannot modify the HTTP headers emanating form the ABC nor do I want the user to install another application which will be a conduit to route my requests through to ABC.

Cross-Domain/Window Messaging Options

a) window.postMessage: Ruled out since I cannot have script running on the local machine
b) XDR Object (IE) or Access-Control-Allow-Origin (Firefox,Safari et al): Ruled out since I cannot modify the header
c) JSONP: Again this will not work since I am unable to enclose the response within the function name

As a workaround, only meant for testing I've added the http://xyz.com to the trusted list and have enabled Access Data Across Domains for sites on this list. AFAIK, this option is only available on IE 5+ browsers. This workaround allows me to send and receive messages from http://127.0.0.1:8080
alt text

My question is two-fold
1) If I were to continue with the above approach when I go into production what are the security implications that I'm exposing the user to? Can I plug those holes?
2) Are there any other options that I can pursue to achieve my objective.

PS: I would like to be as far away from ActiveX or Flash as possible, but in case that is the only workable alternative to my current approach then I'll have to toe the line

Cheers

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

萌能量女王 2024-10-10 14:43:50

如果本地应用程序可以提供单个 html 文档作为桥梁,那么您可以轻松使用跨文档消息传递(例如使用 easyXDM )与本文档中的 ajax 请求一起执行此操作。这是一种非常简单且常用的方法。

easyXDM 实际上附带了这样一个文档,您可以在这里阅读它。

If the local application could serve a single html document, to act as a bridge, then you could easily use Cross-Document Messaging (for instance with easyXDM) together with ajax requests from this document to do this. This is a very simple approach and one commonly used.

easyXDM actually comes with such a document, you can read about it here.

伪装你 2024-10-10 14:43:50

我认为最简单的方法是将服务器脚本放在 https://xyz.com 上,它将充当 javascript 文件和 ABC 之间的桥梁。然后,javascript 文件将简单地将 AJAX 请求发送到它自己的服务器脚本,该脚本将负责从远程域获取信息。唯一可以在大多数浏览器中工作并且不需要使用某些客户端技术(例如 Flash 或 ActiveX)的可行解决方案是 JSONP,但您已经排除了这种情况,因为您无法控制远程域。

I think that the easiest would be to put a server script on https://xyz.com which will act as a bridge between the javascript file and ABC. Then the javascript file will simply send an AJAX request to it's own server script which will take care of fetching the information from the remote domain. The only other viable solution which would work among most browsers and which doesn't require using some client technology like Flash or ActiveX is JSONP but you have ruled this out because you have no control over the remote domain.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文