从父域到子域的 JavaScript 访问?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6277926/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JavaScript access from parent domain to subdomain?
提问by Mark
I've read that setting document.domain = "example.com"lets me access the parent domain from a subdomain.
我读过该设置document.domain = "example.com"让我可以从子域访问父域。
Will the same work the other way around?
反过来也会一样吗?
Let's say my main site is running under http://example.com. All API functions that I want to access via AJAX (GET & POST) are hosted on http://api.example.com.
假设我的主站点在http://example.com下运行。我想通过 AJAX(GET 和 POST)访问的所有 API 函数都托管在http:// api.example.com 上。
Will I be able to access api.example.comfrom example.com?
我可以api.example.com从访问example.com吗?
EDIT: Looking at document.domainagain, I don't think that this will solve the problem. The result from calls to api.example.comare not necessary HTML, but output from a PHP script running on the API server. It can be JSON, plain text, etc. so there's no way to set document.domainfor that (since it's not an iframe).
编辑:document.domain再看一遍,我认为这不会解决问题。调用api.example.com 的结果不是必需的 HTML,而是 API 服务器上运行的 PHP 脚本的输出。它可以是 JSON、纯文本等,因此无法设置document.domain(因为它不是 iframe)。
采纳答案by mplungjan
You need to set document.domain on BOTH pages
您需要在两个页面上设置 document.domain
Alternatively set CORS headers on your server:
或者在您的服务器上设置 CORS 标头:
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
A Quick Overview of CORS
Firefox 3.5 and Safari 4 implement the CORS specification, using XMLHttpRequestas an “API container” that sends and receives the appropriate headers on behalf of the web developer, thus allowing cross-site requests. IE8 implements part of the CORS specification, using XDomainRequestas a similar “API container” for CORS, enabling simple cross-site GET and POST requests. Notably, these browsers send the ORIGIN header, which provides the scheme (http:// or https://) and the domain of the page that is making the cross-site request. Server developers have to ensure that they send the right headers back, notably the Access-Control-Allow-Origin header for the ORIGIN in question (or ” * ” for all domains, if the resource is public) .
The CORS standard works by adding new HTTP headers that allow servers to serve resources to permitted origin domains. Browsers support these headers and enforce the restrictions they establish. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers “preflight” the request, soliciting supported methods from the server with an HTTP OPTIONS request header, and then, upon “approval” from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether “credentials” (including Cookies and HTTP Authentication data) should be sent with requests.
CORS 快速概览
Firefox 3.5 和 Safari 4 实现了 CORS 规范,使用 XMLHttpRequest作为“API 容器”,代表 Web 开发人员发送和接收适当的标头,从而允许跨站点请求。IE8 实现了 CORS 规范的一部分,使用XDomainRequest作为CORS 的类似“API 容器”,支持简单的跨站点 GET 和 POST 请求。值得注意的是,这些浏览器会发送 ORIGIN 标头,该标头提供方案(http:// 或 https://)以及发出跨站点请求的页面的域。服务器开发人员必须确保他们发回正确的标头,特别是所讨论的 ORIGIN 的 Access-Control-Allow-Origin 标头(或所有域的“*”,如果资源是公共的)。
CORS 标准的工作原理是添加新的 HTTP 标头,允许服务器向允许的源域提供资源。浏览器支持这些标头并强制执行它们建立的限制。此外,对于可能对用户数据产生副作用的 HTTP 请求方法(特别是对于 GET 以外的 HTTP 方法,或者对于某些 MIME 类型的 POST 使用),规范要求浏览器“预检”请求,请求支持的方法从带有 HTTP OPTIONS 请求标头的服务器发送,然后在服务器“批准”后,使用实际的 HTTP 请求方法发送实际请求。服务器还可以通知客户端是否应该随请求发送“凭据”(包括 Cookie 和 HTTP 身份验证数据)。
