XMPP和同源策略问题

发布于 2024-11-28 11:58:46 字数 500 浏览 5 评论 0原文

我正在使用 OpenFire 服务器和 JSJaC 客户端库构建一个聊天应用程序。页面从 http://staging.mysite.com 加载，XMPP 在 http://xmpp.mysite.com。如您所见，它们共享同一个域。所以我在页面加载时使用以下代码。

function OnPageLoad (){
    document.domain = "mysite.com";
    DoLogin();
}

不管怎样，它让我异常，说我违反了安全规定。为什么 document.domain 不起作用？它应该有效还是只是为了“美丽”？如果是，在这种具体情况下可以做什么？

我无权访问库内的 XMLHttpRequest 对象，也无法控制它。

原文

I'm building a chat application using OpenFire server and JSJaC client library.
The page loads from http://staging.mysite.com and XMPP runs on http://xmpp.mysite.com. As you can see they both share the same domain. So I use the following code on page load.

function OnPageLoad (){
    document.domain = "mysite.com";
    DoLogin();
}

Anyway it throws me exception saying that I violate the security. Why document.domain doesn't work? Should it work or is it done just for a "beauty"? If yes, what can be done in this specific situation?

I don't have access to the XMLHttpRequest object inside the library and do not control it.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

那小子欠揍 2024-12-05 11:58:46

反正。我必须更深入地挖掘 JSJaC 库并对代码进行一些注入。但首先我做了一些解决方法。基本上，我将以下标头添加到响应中，

Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, *

通常这允许使用本机 xhr 发出跨域请求。然而事实证明它只适用于现代浏览器。例如，它在 IE8 中不起作用，并且任何版本的 Opera 都简单地拒绝了此标头。
然后我使用了基于闪存的解决方案。我使用 flXHR 并像这样修改了 jsjac.uncompressed.js 。

XmlHttp.create = function () {
    //  try {
    //    if (window.XMLHttpRequest) {
    //      var req = new XMLHttpRequest();
    //     
    //      // some versions of Moz do not support the readyState property
    //      // and the onreadystate event so we patch it!
    //      if (req.readyState == null) {
    //  req.readyState = 1;
    //  req.addEventListener("load", function () {
    //                 req.readyState = 4;
    //                 if (typeof req.onreadystatechange == "function")
    //               req.onreadystatechange();
    //               }, false);
    //      }
    //     
    //      return req;
    //    }
    //    if (window.ActiveXObject) {
    //      return new ActiveXObject(XmlHttp.getPrefix() + ".XmlHttp");
    //    }
    //  }
    //  catch (ex) {}
    //  // fell through
    //  throw new Error("Your browser does not support XmlHttp objects");
    var AsyncClient = new flensed.flXHR({
        "autoUpdatePlayer": true,
        "instanceId": "myproxy" + _xhrpf.toString(),
        // This is important because the library uses the response xml of the object to manipulate the data
        "xmlResponseText": true,
        "onreadystatechange": function () { }
    });
    // counter for giving a unique id for the flash xhr object.
    _xhrpf++;
    return AsyncClient;
};


var _xhrpf = 1;

然后我刚刚添加了跨域.xml 位于目标域的根目录中。现在，如果浏览器有 flash 插件，它就可以完美运行。
此外，如果没有flash插件，我想制作一些检测机制，只需制作一个本机xhr并希望浏览器支持跨域请求的标头。

Anyway. I had to dig a little bit deeper the JSJaC library and made some injections to the code. But first I've done some workaround. Basically I added the following headers to the response

Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, *

Generally this allowed to make crossdomain requests using a native xhr. However it proved to work in only modern browsers. For instance it didn't work in IE8 and any version of Opera simply rejected this header.
Then I used flash based solution. I used flXHR and modified jsjac.uncompressed.js like this.

XmlHttp.create = function () {
    //  try {
    //    if (window.XMLHttpRequest) {
    //      var req = new XMLHttpRequest();
    //     
    //      // some versions of Moz do not support the readyState property
    //      // and the onreadystate event so we patch it!
    //      if (req.readyState == null) {
    //  req.readyState = 1;
    //  req.addEventListener("load", function () {
    //                 req.readyState = 4;
    //                 if (typeof req.onreadystatechange == "function")
    //               req.onreadystatechange();
    //               }, false);
    //      }
    //     
    //      return req;
    //    }
    //    if (window.ActiveXObject) {
    //      return new ActiveXObject(XmlHttp.getPrefix() + ".XmlHttp");
    //    }
    //  }
    //  catch (ex) {}
    //  // fell through
    //  throw new Error("Your browser does not support XmlHttp objects");
    var AsyncClient = new flensed.flXHR({
        "autoUpdatePlayer": true,
        "instanceId": "myproxy" + _xhrpf.toString(),
        // This is important because the library uses the response xml of the object to manipulate the data
        "xmlResponseText": true,
        "onreadystatechange": function () { }
    });
    // counter for giving a unique id for the flash xhr object.
    _xhrpf++;
    return AsyncClient;
};


var _xhrpf = 1;

Then I just added a crossdomain.xml in the root of the target domain. Now it works perfectly if the browser has the flash plugin.
Further I want to make some detection mechanism if there is no flash plugin, just make a native xhr and hope for that the browser supports the headers for cross domain requests.

回复收藏 0 原文

~没有更多了~