jQuery.load()，混合 HTTP/HTTPS 和 Internet Explorer

发布于 2024-10-07 02:25:00 字数 413 浏览 4 评论 0原文

我正在尝试使用 jQuery.load('https://someurl.com .someClass') 加载远程 HTML 页面。执行加载的页面位于 HTTPS 上；远程页面可用作 HTTP 和 HTTPS。在合理的浏览器中一切工作正常，但 IE 抛出混合 HTTP/HTTPS 内容安全警告 - 远程页面具有 HTTP 链接包含的 CSS 和 JS，即使作为 HTTPS 请求也是如此。关于如何在 IE 中成功提取混合内容文件而不触发警告的任何线索？修改远程页面不是一个选项。

编辑

需要明确的是，我正在尝试通过 HTTPS 加载远程文件。该文件包含 HTTP 资源（img、css、js）的链接；因为我为 .load() 提供了一个选择器，所以合理的浏览器不会尝试解析 &执行该文件； IE 确实如此。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

铁憨憨 2024-10-14 02:25:00

您无法绕过 IE 中的混合内容警告。如果远程资源可通过 HTTP 和 HTTPS 访问，您可以确保您的协议匹配 jQuery.load(location.protocol + '//someurl.com .someClass')

根据混合问题进行更新- 远程页面中的内容：

jQuery.load 将整个responseText加载到documentFragment中，然后拉出选择器指示的适当部分（请参阅jQuery 1.4.4 ajax.js）。整个远程页面被解析为 HTML，并且必须经过浏览器的安全流程；在许多方面，通过确保所有协议匹配和/或仅返回片段（如果这就是您所需要的），可以更简单地确保响应是“干净的”。

如果您不修改其他资源（这将更加健壮），则需要将所有出现的 HTTP 替换为 HTTPS（反之亦然），而远程资源仍然只是一个细绳。下面是一个脆弱的 jQuery 插件作为该技术的示例，大部分摘自 jQuery 1.4.4 $.load 函数：

(function($){
    var http = "http:",
        https = "https:",
        rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
        proto = location.protocol,
        otherProtoUri = new RegExp("\\b" + (proto === http ? https : http) + "(//[a-z\\d.-]+)", "gi");

    $.fn.protocolModifyLoad = function(url, yesIKnowThisIsFragile, selector) {
        var self = this;

        if ( !this.length || !yesIKnowThisIsFragile) {
            return this;
        }

        $.ajax({
            url: url,
            type: "GET",
            dataType: "html",
            complete: function( res, status ) {
                // If successful, inject the HTML into all the matched elements
                if ( status === "success" || status === "notmodified" ) {
                    // Force occurences of the other protocol into the current one
                    var response = res.responseText.replace(otherProtoUri, proto + "$1");

                    // See if a selector was specified
                    self.html( selector ?
                        // Create a dummy div to hold the results
                        jQuery("<div>")
                            // inject the contents of the document in, removing the scripts
                            // to avoid any 'Permission Denied' errors in IE
                            .append(response.replace(rscript, ""))

                            // Locate the specified elements
                            .find(selector) :

                        // If not, just inject the full result
                        response);
                }
            }
        });

        return this;
    };
})(jQuery);

用法：$('#your > .selector').protocolModifyLoad(location.protocol + '//someurl.com', 'thisIsFragile!! !', '.someClass');

此函数省略了 $.load 的 callback 和 params 参数以及 添加 >yesIKnowThisIsFragile 参数作为微妙的提醒。

You can't get around the mixed-content warning in IE. If the remote resource is available via both HTTP and HTTPS you can make sure your protocols match jQuery.load(location.protocol + '//someurl.com .someClass')

Updated based on the problem being mixed-content in the remote page:

jQuery.load loads the entire responseText into a documentFragment before pulling out the appropriate part indicated by the selector (see jQuery 1.4.4 ajax.js). The entire remote page is parsed as HTML and must go through the browser's security processes; in many ways it's simpler to make sure the response is "clean" by making sure all the protocols match and/or only returning a fragment if that's all you need.

If you won't be modifying the other resource, which would be much more robust, you'll need to replace all occurrences of HTTP with HTTPS (or vice versa) while the remote resource is still just a string. Here's a fragile jQuery plugin as an example of this technique, mostly ripped from jQuery 1.4.4 $.load function:

(function($){
    var http = "http:",
        https = "https:",
        rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
        proto = location.protocol,
        otherProtoUri = new RegExp("\\b" + (proto === http ? https : http) + "(//[a-z\\d.-]+)", "gi");

    $.fn.protocolModifyLoad = function(url, yesIKnowThisIsFragile, selector) {
        var self = this;

        if ( !this.length || !yesIKnowThisIsFragile) {
            return this;
        }

        $.ajax({
            url: url,
            type: "GET",
            dataType: "html",
            complete: function( res, status ) {
                // If successful, inject the HTML into all the matched elements
                if ( status === "success" || status === "notmodified" ) {
                    // Force occurences of the other protocol into the current one
                    var response = res.responseText.replace(otherProtoUri, proto + "$1");

                    // See if a selector was specified
                    self.html( selector ?
                        // Create a dummy div to hold the results
                        jQuery("<div>")
                            // inject the contents of the document in, removing the scripts
                            // to avoid any 'Permission Denied' errors in IE
                            .append(response.replace(rscript, ""))

                            // Locate the specified elements
                            .find(selector) :

                        // If not, just inject the full result
                        response);
                }
            }
        });

        return this;
    };
})(jQuery);

Usage: $('#your > .selector').protocolModifyLoad(location.protocol + '//someurl.com', 'thisIsFragile!!!', '.someClass');

This function omits the callback and params arguments of $.load and the yesIKnowThisIsFragile argument was added as a subtle reminder.

回复收藏 0 原文