有人可以帮助我更好地了解跨站脚本政策吗
我试图更好地理解跨站点脚本并让使用:
http://api.beatport.com/crossdomain .xml 为例。
XML 列出了所有域都允许访问。但是,当我从 HTML 页面内(或从控制台内)发出请求时,它将失败,并出现类似以下内容的错误:
XMLHttpRequest cannot load http://api.beatport.com/catalog/tracks. Origin <mydomain> is not allowed by Access-Control-Allow-Origin.
但我觉得奇怪的是,如果我将请求放在地址栏中在我的浏览器中,请求通过。
有人可以解释一下发生了什么以及我需要做什么来解决这个问题,因为显然 API 允许从任何域进行访问。
I'm trying to better understand Cross Site Scripting and lets use:
http://api.beatport.com/crossdomain.xml as the example.
The XML lists that all domains are allowed access. However when I make the request from within my HTML page (or from within the console) it will fail with an error similar to:
XMLHttpRequest cannot load http://api.beatport.com/catalog/tracks. Origin <mydomain> is not allowed by Access-Control-Allow-Origin.
What I find weird though, is if I put the request in the address bar of my browser, the request goes through.
Can someone please explain what is going on and what I need to do to fix this because clearly the API allows access from any domain.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
XMLHttpRequest不会查看crossdomain.xml,它会查看错误消息中提到的Access-Control-Allow-Origin标头。因此,服务器需要发送如下标头:
Access-Control-Allow-Origin: *如果他们不发送该标头 (
http://api.beatport.com/catalog /tracks没有),它将被拒绝。XMLHttpRequestdoesn't look atcrossdomain.xml, it looks atAccess-Control-Allow-Originheader as mentioned in the error message.So the server needs to send a header like this:
Access-Control-Allow-Origin: *If they don't send that header (
http://api.beatport.com/catalog/tracksdoesn't), it will be denied.