从本地文件跨源GET://
我正在尝试构建一个 html 文件来监视远程站点上的某些内容 - 具体来说,github.com。我希望能够将其保留为平面文件,直接从 JS 向 github 的 API 发出请求。我的思考过程是这样的:
- 让我们使用 jsonp,因为我只需要读取访问权限,所以坚持使用 GET 应该没问题。
- 失败是因为您可以不使用 jsonp 进行基本身份验证。
- 好吧,我将使用 Github 的 OAuth 而不是基本身份验证!
- 失败是因为浏览器不喜欢我重定向到本地资源:
出于可以理解的安全原因,不允许加载本地资源:file:///Users/...
。李>
- 失败是因为浏览器不喜欢我重定向到本地资源:
- 好的,我将在 iFrame 中加载 Github 的 oauth,然后获取生成的 url(其中应包含我需要的 oauth 代码)。
- 这会失败,因为如果子 iframe 位于另一个域上,您显然无法访问有关子 iframe 的任何内容,因此除非我重定向回 file:///whatever,否则我无法获得最终的 url。当然,我无法重定向到 file:///whatever,因为“不允许再次加载本地资源”。
- 好的,我将使用跨源资源共享(再次回到基本身份验证)!
- 失败是因为来自 file:/// url 的 CORS 将原始标头发送为 null,哪些服务器不接受
因此,关于如何从单个本地 html 文件成功验证此 api 的任何建议 - 或者作为一种方式围绕上述机智,还是完全是另一个想法?
I'm trying to build an html file to monitor some things on a remote site- specifically, github.com. I'd like to be able to keep it to just that flat file, making the requests straight from the JS to github's API. My thought process went like this:
- Let's use jsonp, since I only need read access, so sticking with GETs should be fine.
- That fails because you can't do basic authentication with jsonp.
- Ok, I'll use Github's OAuth instead of basic authentication!
- That fails because the browser doesn't like me redirecting to a local resource:
Not allowed to load local resource: file:///Users/...
for understandable security reasons.
- That fails because the browser doesn't like me redirecting to a local resource:
- Ok, I'll load Github's oauth in an iFrame, then get the resulting url (which should contain the oauth code I need).
- That fails because you apparently can't access anything about a child iframe if it's on another domain, so unless I redirect back to file:///whatever, I can't get the final url. And, of course, I can't redirect to file:///whatever because of the ``Not allowed to load local resource` again.
- Ok, I'll use Cross-Origin Resource Sharing (going back to basic auth again)!
- That fails because CORS from a file:/// url send the origin header as null, which servers won't accept
So, any suggestions as to how to successfully authenticate to this api from a single, local html file- either as a way around the above tacts, or another idea entirely?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您使用的是 google chrome,您可以尝试在
启用
--allow-file-access-from-files
开关的情况下运行它。
If you are using google chrome you could try running it with the
--allow-file-access-from-files
switch enabled.