静态网页和共享相同 TLD 的 google app-engine 服务器之间的 AJAX
我的主网站由可靠的静态网络托管服务托管。它只允许我托管 html、css、js 等静态文件。现在我有一些需要用户登录和数据存储的要求。我想我可以使用 App Engine Python 来处理这个问题。
我的应用程序类似于投票模块,因此我将使用其示例进行解释。 我的计划是配置如下:
main website: www.example.com
appengine: gae.example.com
在主网站上,匿名用户访问:http://www.example.com/vote.html,他应该看到当前的投票状态(已被从应用程序引擎检索)。和一个登录按钮(来自 twitter/facebook)。当他登录时,他应该能够投票并将投票保存回 appengine 服务器。
我可以处理大部分事情,但只有两件事。 (考虑同源策略。)
如何维护两个域名之间的身份验证。即
www.example.com和gae.example.com。- 从
www.example.com向gae.example.com发出 HTTP POST 请求并使用返回的 json 数据。
注意:我想尽可能避免 iframe。
I have the main website hosted by a reliable static web hosting service. Which only allow me to host static files like html, css, js etc. Now I have few requirements which would need user Login and data storage. I think I can handle this using App Engine Python.
My app is similar to a Voting module, So i will explain it using its example.
My plan is to configure things something like this:
main website: www.example.com
appengine: gae.example.com
On the main website an anonymous user visits: http://www.example.com/vote.html, he should see current voting status (which has been retrieved from app engine). and a login button (from twitter/facebook). when he logins, he should be able to cast his vote and the vote be saved back to the appengine server.
I can handle most of the things but two. (taking same origin policy into account.)
How do I maintain authentication between two domain names. i.e.
www.example.comandgae.example.com.How do I make HTTP POST request to the
gae.example.comfromwww.example.comand use the returned json data.
Note: I want to avoid iframes as much as possible.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要使用 JSONP。
子域名实际上违反了同源策略。这是因为某些托管解决方案为不同的用户提供子域。这将允许用户攻击彼此的网站。
请参阅:同源政策 - AJAX 和 AJAX使用公共 API
You need to use JSONP.
Subdomains actually violate the same origin policy. This is because some hosted solutions provide subdomains for different users. This would allow users to attack each other's sites.
See: Same Origin Policy - AJAX & using Public APIs
您可以通过确保在根域上设置登录 cookie 并允许子域访问来维护两个子域之间的登录。子域将能够访问根域的 cookie。请参阅 https:// /serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com 一些示例。
我不相信你可以直接对另一个子域进行ajax调用。如果目标子域正在合作并支持 JSONP,您可以这样做(您最终会插入一个脚本标记并调用一个脚本,然后该脚本会用数据回调您)。由于脚本的加载不受同源策略的约束,因此您可以解决它,但必须将目标子域配置为允许并支持 JSONP。
You can maintain login between the two sub-domains by making sure that the login cookie is set on the root domain with subdomain access allowed. The sub-domains will be able to access the cookies of the root domain. See https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com for some examples.
I don't believe you can make ajax calls directly to another sub-domain. If the target sub-domain is cooperating and supports JSONP, you can do it that way (you end up inserting a script tag with a call to a script and that script calls you back with the data). Because the loading of scripts isn't subject to the same origin policy, you can work around it, but the target sub-domain has to be configured to allow and support JSONP.