为了绕过 ajax“同源策略”，需要编写 PHP ajax 请求转发器吗？

发布于 2024-10-16 14:03:18 字数 401 浏览 7 评论 0原文

我想通过在我的网站上设置一个基本上充当 JSON 代理的 php 页面来绕过 ajax 同源策略。例如，我发出这样的 ajax 请求：

mysite.com/myproxy.php?url=blah.com/api.json&a=1&b=2

然后它发出请求：

blah.com/api.json?a=1&b=2

并将 JSON（或其他）结果返回给原始请求者。现在我假设如果我写这个 php 代码我会愚蠢地重新发明轮子（加上我不知道 php！） - 是否有一些预先存在的代码可以做到这一点？我确信我不是唯一一个曾经反对同源政策的人。

哦，是的，JSONP 不是这个特定 api 的选项。

谢谢大家

原文

I want to bypass the ajax same-origin policy by having a php page on my site that basically acts like a JSON proxy. Eg i make an ajax request like this:

mysite.com/myproxy.php?url=blah.com/api.json&a=1&b=2

It then makes a request to:

blah.com/api.json?a=1&b=2

And returns the JSON (or whatever) result to the original requester.
Now i assume i'd be stupidly reinventing the wheel if i wrote this php code (plus i don't know php!) - is there some pre-existing code to do this? I'm sure i'm not the only one who's butted my head up against the same-origin policy before.

Oh yeah JSONP isn't an option for this particular api.

Thanks all

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

娜些时光，永不杰束 2024-10-23 14:03:18

好吧，有件事——
将其放入 php 脚本中，像这样调用它
script.php?url=blah

发布您想要发布到服务器的内容。

<?php


$curlPost = http_build_query($_POST);
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_setopt($ch, CURLOPT_HEADER, 1); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost); 
$data = curl_exec($ch); 
curl_close($ch); 

echo json_encode($data);
 ?>

现在这个脚本对我来说有点太开放了，所以为了提高安全性，我建议您将域列表添加到白名单中。

所以将其添加到顶部：

$whitelist = array('http://www.google.com','http://www.ajax.com');
$list = array();
foreach($whitelist as $w)
 $list[] = parse_url($w,PHP_URL_HOST);

$url = $_GET['url'];
$url = pathinfo($url,PHP_URL_HOST);
if(!in_array($url, $list)) die('no access to that domain');

Okay, here's something -
Slap this into a php script, call it like this
script.php?url=blah

post the contents you want posted to the server.

<?php


$curlPost = http_build_query($_POST);
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_setopt($ch, CURLOPT_HEADER, 1); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost); 
$data = curl_exec($ch); 
curl_close($ch); 

echo json_encode($data);
 ?>

Now this script is a bit too open for my liking, so to increase security I would recommend that you add a list of domains to a white list.

So add this to the top:

$whitelist = array('http://www.google.com','http://www.ajax.com');
$list = array();
foreach($whitelist as $w)
 $list[] = parse_url($w,PHP_URL_HOST);

$url = $_GET['url'];
$url = pathinfo($url,PHP_URL_HOST);
if(!in_array($url, $list)) die('no access to that domain');

回复收藏 0 原文

~没有更多了~