同源问题(文件上传)
客户端位于 foo.com 域上,需要上传(发送 POST XMLHttpRequest)到 upload.foo.com。
由于同源政策,这是受到限制的。
然而,我设法想出的解决办法是,在 foo.com 上动态创建 iframe,打开 upload.foo.com 并附加执行来自 upload.foo.com 的 POST 请求的 JavaScript 代码,如下所示: iframe.onLoad [..]
(a=(b=doc)
.createElement('script'))
.src='http://foo.com/upload.php?'+Math.random(),
b.body.appendChild(a);
void(0);
现在,对我来说这似乎是多余的:如果后者是可能的,我的逻辑告诉我前者也应该是可能的。是吗?
-- 更新
我刚刚注意到子域上有一个文件包含以下内容:
<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.foo.com" secure="false" />
</cross-domain-policy>
我可以以某种方式使用它来发挥我的优势吗?
The client is on domain foo.com and needs to upload (send POST XMLHttpRequest) to upload.foo.com.
This is restricted because of the same origin policy.
However, the work around that I managed to come up with is, to dynamically create iframe on foo.com opening upload.foo.com and append the JavaScript code which executes the POST request from upload.foo.com like this:iframe.onLoad [..]
(a=(b=doc)
.createElement('script'))
.src='http://foo.com/upload.php?'+Math.random(),
b.body.appendChild(a);
void(0);
Now, to me this seems redundant: if the later is possible, my logic tells me that the former should be possible as well. Is it?
-- update
I have just noticed that there is file on the sub domain containing this:
<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.foo.com" secure="false" />
</cross-domain-policy>
Can I use it somehow to my advantage?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
XMLHttpRequest 对 document.domain 不敏感,因为出于安全原因,该对象需要相互选择加入,并且 XHR 无法知道目标可能希望将 document.domain 值设置为什么。为了使 SiteA 能够与 SiteB 上网站的 DOM 进行交互,两个网站必须共享一个公共私有域后缀,并且都必须通过将 document.domain 设置为其公共后缀来选择加入通信。
您的跨域策略文件实际上没有多大意义(因为它选择加入所有内容,然后选择所有内容的子集),但它用于 Flash,而不是 XHR(使用 CORS)。
XMLHttpRequest is not sensitive to document.domain because the object requires mutual opt-in for security reasons, and XHR has no way of knowing what the target might want the document.domain value to be set to. In order for SiteA to interact with the DOM of a site on SiteB, both sites must share a common private domain suffix, and both must opt-in to the communication by setting document.domain to their common suffix.
Your cross-domain policy file doesn't actually make a lot of sense (as it opts-in everything, and then a subset of everything) but it's used for Flash, not XHR (which uses CORS).
我认为不可能简化这一点,但如果你觉得这不太优雅,还有更简单的方法来使用跨源 JS。
事实上,如果您尝试使用 jsonp 发送请求,这几乎正是 jQuery 所做的。 JSONP 维基百科
(以及绕过同源限制的其他几种方法)
我不知道这是否是您要问的,但以可维护性的名义,我建议您使用 jQuery 方法。
您需要设置dataType: 'jsonp',然后一切就完成了。
您可以选择设置参数“callback=?”(查看文档)。
I don't think it's possible to simplify this, but if it seems inelegant to you, there are simpler ways to use cross-origin JS.
Indeed, this is almost exactly what jQuery does if you try to send a request using jsonp. Wikipedia for JSONP
(Along with several other ways to bypass the same-origin restriction)
I don't know if this is what you're asking about, but in the name of maintainability, I would advise that you use the jQuery approach.
You need to set dataType: 'jsonp' and you're all set.
You can optionally set the parameter "callback=?"(look at the docs).