跨域请求本地主机
免责声明:我已经研究过各种方法来解决我的问题,因此请先阅读此内容,然后再将其标记为重复问题
我在 https://xyz 上运行 JavaScript .com
必须从用户本地计算机(例如端口 8080)上运行的应用程序 ABC
检索信息。
我的限制是我无法修改从 发出的 HTTP 标头>ABC
我也不希望用户安装另一个应用程序,该应用程序将成为将我的请求路由到 ABC
的管道。
跨域/窗口消息传递选项< /strong>
a) window.postMessage: 已排除,因为我无法在本地计算机上运行脚本
b) XDR 对象 (IE) 或 Access-Control-Allow-Origin(Firefox、Safari 等): 已排除,因为我无法修改标头
c) JSONP: 同样,这将不起作用,因为我无法将响应包含在函数名称中
作为一种解决方法,仅用于测试,我添加了 http:// /xyz.com
添加到受信任列表,并已为此列表中的网站启用跨域访问数据
。 AFAIK,此选项仅在 IE 5+ 浏览器上可用。此解决方法允许我从 http://127.0.0.1:8080
发送和接收消息
我的问题有两个
1)如果我在投入生产时继续采用上述方法,我会让用户面临哪些安全隐患?我可以堵住这些漏洞吗?
2) 是否还有其他选择可以实现我的目标。
PS:我希望尽可能远离 ActiveX 或 Flash,但以防万一这是唯一的选择我当前方法的可行替代方案那么我将不得不遵守规则
干杯
DISCLAIMER: I've already looked at various approaches to solve my issue, so please read this before labeling this as a duplicate question
I have a javascript running on https://xyz.com
which has to retrieve information from an application ABC
running on the user's local machine say port 8080.
My constraints are that I cannot modify the HTTP headers emanating form the ABC
nor do I want the user to install another application which will be a conduit to route my requests through to ABC
.
Cross-Domain/Window Messaging Options
a) window.postMessage: Ruled out since I cannot have script running on the local machine
b) XDR Object (IE) or Access-Control-Allow-Origin (Firefox,Safari et al): Ruled out since I cannot modify the header
c) JSONP: Again this will not work since I am unable to enclose the response within the function name
As a workaround, only meant for testing I've added the http://xyz.com
to the trusted list and have enabled Access Data Across Domains
for sites on this list. AFAIK, this option is only available on IE 5+ browsers. This workaround allows me to send and receive messages from http://127.0.0.1:8080
My question is two-fold
1) If I were to continue with the above approach when I go into production what are the security implications that I'm exposing the user to? Can I plug those holes?
2) Are there any other options that I can pursue to achieve my objective.
PS: I would like to be as far away from ActiveX or Flash as possible, but in case that is the only workable alternative to my current approach then I'll have to toe the line
Cheers
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果本地应用程序可以提供单个 html 文档作为桥梁,那么您可以轻松使用跨文档消息传递(例如使用 easyXDM )与本文档中的 ajax 请求一起执行此操作。这是一种非常简单且常用的方法。
easyXDM 实际上附带了这样一个文档,您可以在这里阅读它。
If the local application could serve a single html document, to act as a bridge, then you could easily use Cross-Document Messaging (for instance with easyXDM) together with ajax requests from this document to do this. This is a very simple approach and one commonly used.
easyXDM actually comes with such a document, you can read about it here.
我认为最简单的方法是将服务器脚本放在
https://xyz.com
上,它将充当 javascript 文件和 ABC 之间的桥梁。然后,javascript 文件将简单地将 AJAX 请求发送到它自己的服务器脚本,该脚本将负责从远程域获取信息。唯一可以在大多数浏览器中工作并且不需要使用某些客户端技术(例如 Flash 或 ActiveX)的可行解决方案是 JSONP,但您已经排除了这种情况,因为您无法控制远程域。I think that the easiest would be to put a server script on
https://xyz.com
which will act as a bridge between the javascript file and ABC. Then the javascript file will simply send an AJAX request to it's own server script which will take care of fetching the information from the remote domain. The only other viable solution which would work among most browsers and which doesn't require using some client technology like Flash or ActiveX is JSONP but you have ruled this out because you have no control over the remote domain.