支持 http 和 https 之间的同源策略
我正在使用 JQuery Ajax 通过 POST 方法请求 API。
我的页面将在移动设备上查看,因此我们将它们保持在非常轻量的状态,并使用 http 作为协议。 我们的 API 很少会传递需要保护的令牌,因此我们计划使用 https 协议。
我们已经在 WCF 服务上公开了 http 和 https 端点。另外,通过在 web.config 中添加以下配置来确保允许跨脚本编写。
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS"/>
<add name="Access-Control-Allow-Headers" value="*"/>
</customHeaders>
</httpProtocol>
在 WCF 操作合约中,我通过设置来检查要返回的 OPTIONS 标头 上面的标题。请求永远不会到达 WCF 操作。浏览器本身会根据同源策略停止请求。
我观察到 getJSON 可以工作,但有一些限制,比如它不允许 POST 方法和复杂对象的传递。
令我惊讶的是,我看到了允许这样做的实现。以下是跨脚本编写的示例。
例如:
function onSuccess(data) {
console.log("in on success");
console.log(data);
$.ajax({
url: closure_compiler_service,
type: 'POST',
dataType: 'json',
data: 'js_code=' + $("#eval").val() + "&output_info=compiled_code&output_format=json&compilation_level=WHITESPACE_ONLY&formatting=pretty_print",
success: function (jscode) {
//do something...
},
error: function () {
console.log("Error from Closure compile");
},
async: false
});
}
我是否缺少任何解决同源政策的方法?
I am using JQuery Ajax to request for an API using POST method.
My pages are going to be viewed on mobile hence we are keeping them very light and also using http as the protocol.
Few of our APIs passes tokens which would need to be secured, hence we were planning to use https protocol.
We have exposed both the endpoints http and https on our WCF Service. Also, have made sure to allow cross scripting by adding the following config in our web.config
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="POST, GET, OPTIONS"/>
<add name="Access-Control-Allow-Headers" value="*"/>
</customHeaders>
</httpProtocol>
At the WCF Operation contract, I have checked for OPTIONS header to return by setting the
above headers. Request never reaches the WCF operation. The browser itself stops the request as Same Origin policy.
I have observed getJSON works, but there were few limitations like it does'nt allow POST method and also complex objects to be passed.
What surprises me is that I have seen implementations where this is being allowed. Below is an example of what works in cross scripting.
Ex:
function onSuccess(data) {
console.log("in on success");
console.log(data);
$.ajax({
url: closure_compiler_service,
type: 'POST',
dataType: 'json',
data: 'js_code=' + $("#eval").val() + "&output_info=compiled_code&output_format=json&compilation_level=WHITESPACE_ONLY&formatting=pretty_print",
success: function (jscode) {
//do something...
},
error: function () {
console.log("Error from Closure compile");
},
async: false
});
}
Am I missing any thing to workaround the Same origin policy.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论