Javascript 即使正确设置了 document.domain,跨子域 ajax 请求也被拒绝
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7735955/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross-subdomain ajax request denied even when document.domain is set correctly
提问by Chev
In my application I have a website on one sub-domain (dev.u413.com) and I use jQuery to make an ajax request to a JSON api on another sub-domain (api.u413.com). When I inspect the requests in Chrome dev tools and Firefox Firebug it appears my requests are being prevented by the Access-Control-Allowed-Origin. I set document.domainto a suffix of the current domain: document.domain = 'u413.com';.
在我的应用程序中,我在一个子域 (dev.u413.com) 上有一个网站,我使用 jQuery 向另一个子域 (api.u413.com) 上的 JSON api 发出 ajax 请求。当我检查 Chrome 开发工具和 Firefox Firebug 中的请求时,我的请求似乎被Access-Control-Allowed-Origin. 我设置document.domain为当前域的后缀:document.domain = 'u413.com';.
Here is my request:
这是我的要求:
$.ajax({
dataType: 'json',
data: { parseAsHtml: true, cli: 'help' },
url: 'http://api.u413.com/',
success: function (response) {
alert(response.Command);
}
});
If I modify the ajax request to be on the same domain then the request is successful.
如果我将 ajax 请求修改为在同一个域上,则请求成功。
$.ajax({
dataType: 'json',
crossDomain: false,
data: { parseAsHtml: true, cli: 'help' },
url: 'http://dev.u413.com/',
success: function (response) {
alert(response.Command);
}
});
Why does this happen? The browser shouldn't complain about cross-domain problems since I set document.domainto a common suffix of both sub-domains as per the guidelines on the same origin policy.
为什么会发生这种情况?浏览器不应该抱怨跨域问题,因为我document.domain根据相同源策略的指南设置了两个子域的通用后缀。
I have the app working with jsonp currently but I feel like proper ajax requests should be working as per the same origin policy I linked above. I'd rather not use jsonp if I don't have to. Is it not possible to make regular ajax requests across sub-domains?
我目前有使用 jsonp 的应用程序,但我觉得正确的 ajax 请求应该按照我上面链接的相同来源策略工作。如果不需要,我宁愿不使用 jsonp。是否无法跨子域进行常规ajax请求?
回答by Darin Dimitrov
document.domaindoesn't work with AJAX. It is intended for cross domain iframe and window communication. In your case you are violating the same origin policy (last lineof the table) so you need to use either JSONP or server side bridge.
document.domain不适用于 AJAX。它用于跨域 iframe 和窗口通信。在您的情况下,您违反了同源策略(表的最后一行),因此您需要使用 JSONP 或服务器端桥接器。
Here's a very nice guidewhich illustrates different techniques for achieving cross domain AJAX requests.
这是一个非常好的指南,它说明了实现跨域 AJAX 请求的不同技术。
回答by George
the same origin policy is one of the most frustrating browser related topics I have had to deal with. Silly to me that 2 servers on the same domain can not communicate. Unfortunately the same origin policy considers even 2 requests to the same server but on a different port a violation of the same origin policy. I think this will get better with future browsers:
同源策略是我不得不处理的最令人沮丧的浏览器相关主题之一。对我来说愚蠢的是同一域上的 2 个服务器无法通信。不幸的是,同源策略甚至认为对同一服务器但在不同端口上的 2 个请求违反了同源策略。我认为这在未来的浏览器中会变得更好:
http://www.html5rocks.com/en/tutorials/file/xhr2/
http://www.html5rocks.com/en/tutorials/file/xhr2/
search for : Cross Origin Resource Sharing (CORS)
搜索:跨源资源共享(CORS)
basically your server just has to set a response header saying "yeah it is ok to allow cross domain or cross subdomain calls to server xyz".
基本上你的服务器只需要设置一个响应头,说“是的,允许跨域或跨子域调用服务器 xyz 是可以的”。
It will be some time before all browsers support this Im sure (and hell I have to support ie8 till most our users are off it anyway) - but at least there is light at the end of the tunnel.
我敢肯定,在所有浏览器都支持这个之前还需要一段时间(而且我必须支持 ie8,直到我们的大多数用户都关闭它为止) - 但至少隧道尽头有光。
回答by stevebot
You need to add document.domain = 'u413.comto your other sub domain aswell.
您还需要添加document.domain = 'u413.com到其他子域。
回答by Alex W
Is it not possible to make regular ajax requests across sub-domains?
是否无法跨子域进行常规ajax请求?
This is not technically AJAX, but you can mimic an AJAX request with a form submission successfully going cross-domain. The downside is you can't access the response and this will cause the page to be redirected to the form's ACTIONURL.
这在技术上不是 AJAX,但您可以模拟 AJAX 请求,并成功跨域提交表单。缺点是您无法访问响应,这将导致页面被重定向到表单的ACTIONURL。
Instead of this:
取而代之的是:
jQuery.post('https://www.com',
'offerCode':523153,
'accountNumber':'',
'_item.x':'42',
'_item.y':'21'
});
Use this:
用这个:
jQuery('<form action="https://www.com" method="POST">
<input type="text" name="offerCode" value="523153">
<input type="text" name="accountNumber" value="">
<input type="text" name="_item.x" value="42">
<input type="text" name="_item.y" value="21">
</form>').trigger('submit');
