chrome中跨域ajax POST
关于跨域 AJAX 的问题有几个主题。我一直在研究这些,结论似乎是这样的:
除了使用 JSONP 或代理解决方案之类的东西之外,您不应该能够对另一个域执行基本的 jquery $.post()
我的测试代码看起来像这样(在“http://myTestdomain.tld/path/file 上运行) .html")
var myData = {datum1 : "datum", datum2: "datum"}
$.post("http://External-Ip:port", myData,function(return){alert(return);});
当我尝试这个(我开始寻找的原因)时,chrome-console 告诉我:
XMLHttpRequest 无法加载 http://External-IP:port/page.php。起源 不允许 http://myTestdomain.tld 通过访问控制允许来源。
据我所知,这是预料之中的。我不应该能够做到这一点。问题是 POST 实际上确实是通过的。我运行了一个简单的脚本,将 $_POST 保存到文件中,很明显该帖子陷入困境。我返回的任何真实数据都不会传递到我的调用脚本,由于访问控制问题,这似乎又是预期的。但帖子实际上到达了服务器这一事实让我感到困惑。
- 我假设在“myTestdomain”上运行的上述代码不应该能够对其他域(外部 IP)执行简单的
$.post(),这是否正确? - 即使没有收到输出,请求是否会实际到达外部 IP 的脚本?或者这是一个错误。 (我使用的是 Chrome 11.0.696.60 )
There are several topics about the problem with cross-domain AJAX. I've been looking at these and the conclusion seems to be this:
Apart from using somthing like JSONP, or a proxy sollution, you should not be able to do a basic jquery $.post() to another domain
My test code looks something like this (running on "http://myTestdomain.tld/path/file.html")
var myData = {datum1 : "datum", datum2: "datum"}
$.post("http://External-Ip:port", myData,function(return){alert(return);});
When I tried this (the reason I started looking), chrome-console told me:
XMLHttpRequest cannot load
http://External-IP:port/page.php. Origin
http://myTestdomain.tld is not allowed
by Access-Control-Allow-Origin.
Now this is, as far as I can tell, expected. I should not be able to do this. The problem is that the POST actually DOES come trough. I've got a simple script running that saves the $_POST to a file, and it is clear the post gets trough. Any real data I return is not delivered to my calling script, which again seems expected because of the Access-control issue. But the fact that the post actually arrived at the server got me confused.
- Is it correct that I assume that above code running on "myTestdomain" should not be able to do a simple
$.post()to the other domain (External-IP)? - Is it expected that the request would actually arrive at the external-ip's script, even though output is not received? or is this a bug. (I'm using Chrome 11.0.696.60 )
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我之前在 WebKit bugtracker 上发布了关于此问题的票证,因为我认为这是奇怪的行为并且可能存在安全风险。
由于与安全相关的票证无法公开查看,我将在此引用 Justin Schuh 的回复:
所以:您可以执行 POST,因为无论如何您都可以通过嵌入表单并使用 JavaScript 触发提交按钮来完成此操作,但您看不到结果。因为您无法在表单场景中执行此操作。
解决方案是向目标服务器上运行的脚本添加标头,例如
尚未测试,但根据规范,这应该可以工作。
Firefox 3.6 似乎以不同的方式处理它,首先执行一个 OPTIONS 来查看它是否可以执行实际的 POST。 Firefox 4 做了与 Chrome 相同的事情,或者至少在我的快速实验中是这样做的。有关更多信息,请访问 https://developer.mozilla.org/en/http_access_control
I posted a ticket about this on the WebKit bugtracker earlier, since I thought it was weird behaviour and possibly a security risk.
Since security-related tickets aren't publicly viewable, I'll quote the reply from Justin Schuh here:
So: you're allowed to do the POST since you could have done that anyway by embedding a form and triggering the submit button with javascript, but you can't see the result. Because you wouldn't be able to do that in the form scenario.
A solution would be to add a header to the script running on the target server, e.g.
Haven't tested that, but according to the spec, that should work.
Firefox 3.6 seems to handle it differently, by first doing an OPTIONS to see whether or not it can do the actual POST. Firefox 4 does the same thing Chrome does, or at least it did in my quick experiment. More about that is on https://developer.mozilla.org/en/http_access_control
关于 JavaScript 同源策略 限制需要注意的重要一点是,它是内置的现代浏览器的安全性 - 它不是技术的限制或服务器强制执行的东西。
回答你的问题,这些都不是错误。
请求不会停止到达服务器 - 这使服务器可以选择通过设置适当的标头来允许这些跨域请求1。
浏览器也会收到响应。使用访问控制标头之前 1< /sup>,对跨域请求的响应将被具有安全意识的浏览器完全阻止 - 浏览器将接收响应,但不会将其传递给脚本。通过访问控制标头,服务器可以选择设置适当的标头,向兼容的浏览器指示它希望允许某些原始 URL 发出跨域请求。
不同浏览器的响应行为可能有所不同 - 我现在无法确定,但我认为 Chrome 在使用 jQuery 的
ajax()时会调用success回调函数但响应是空的。 IIRC,Firefox 不会调用success函数。The important thing to note about the JavaScript same-origin policy restriction is that it is something built into modern browsers for security - it is not a limitation of the technology or something enforced by servers.
To answer your question, neither of these are bugs.
Requests are not stopped from reaching the server - this gives the server the option to allow these cross-domain requests by setting the appropriate headers1.
The response is also received back by the browser. Before the use of the access control headers 1, responses to cross-domain requests would be stopped dead in their tracks by a security conscious browser - the browser would receive the response but it would not hand it off to the script. With the access control headers, the server has the option of setting the appropriate headers indicating to a compliant browser that it would like to allow certain origin URLs to make cross domain requests.
The exact behaviour on response might differ between browsers - I can't recall for sure now but I think Chrome calls the
successcallback function when using jQuery'sajax()but the response is empty. IIRC, Firefox will not invoke thesuccessfunction.我也遇到同样的事情。您可以跨域发帖,但无法收到回复。这是我期望在 Firefox、Chrome 和 IE 中能够做到并发生的事情。
解决这个问题的一种方法是拥有一个本地 php 文件,该文件将通过curl 调用数据并将响应响应到您的 javascript。 (有点重述你所说的你已经知道的事情。)
I get the same thing happening for me. You are able to post across domains but are not able to receive a response. This is what I expected to be able to do and happens for me in Firefox, Chrome, and IE.
One way to kind of get around this caveat is having a local php file with will call the data via curl and respond the response to your javascript. (Kind of restated what you said you knew already.)
是的,这是正确的,除非您使用任何代理,否则您将无法执行此操作。
不,一旦有这样的限制,请求就不会转到外部IP。
Yes, it's correct and you won't be able to do that unless you use any proxy.
No, request won't go to the external IP as soon as there is such limitation.