JavaScript 跨域调用:从 HTTP 调用到 HTTPS
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8414786/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JavaScript cross-domain call: call from HTTP to HTTPS
提问by Matías Fidemraizer
I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.
我需要对同一域的安全 (HTTPS) URL 进行异步调用。
Currently the page is working with regular HTTP (non-secure).
目前该页面正在使用常规 HTTP(非安全)。
In other words: this is calling an URL in the same domain but using HTTPS.
换句话说:这是调用同一域中的 URL,但使用 HTTPS。
Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.
在将此调用切换到 HTTPS 之前,我结束了实现服务器端代理以允许跨域 AJAX 调用,但现在我面临着同源策略,因为 HTTP 和 HTTPS 也被认为是不同的来源。所以这个代理是不可用的。
Summary: how to do cross-domain, asnynchronous POST requests in this scenario?
总结:这种场景下如何做跨域、异步的POST请求?
Various notes:
各种注意事项:
- I couldn't accept any answer suggesting JSONP. Asynchronous calls must be using POST verb.
- I'm using latest version of jQuery. Answer could be based on this library, or any other solving this problem.
- Accessing the entire page over HTTPS isn't a solution.
- Server platform is Microsoft .NET 4.0 (ASP.NET 4.0).
UDPATE: CORS isn't an option. There's no wide support for this in modern browsers.
- 我不能接受任何建议使用 JSONP 的答案。异步调用必须使用 POST 动词。
- 我正在使用最新版本的 jQuery。答案可能基于此库,或任何其他解决此问题的方法。
- 通过 HTTPS 访问整个页面不是解决方案。
- 服务器平台为 Microsoft .NET 4.0 (ASP.NET 4.0)。
UDPATE:CORS 不是一个选项。现代浏览器对此没有广泛支持。
采纳答案by Matías Fidemraizer
First of all, I've +1 both questions from @missingo and @PiTheNumber.
首先,我对@missingo 和@PiTheNumber 的两个问题都提出了+1。
After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:
花了很多时间后,我得出结论,我要将整个页面切换到 HTTPS。那是因为:
Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).
Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.
I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.
Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).
大多数现代浏览器都支持 CORS,但 Internet Explorer 从第 8 版开始有一个专有实现(XDomainRequest 对象),可能在某些计算机中被禁用(我的在 Internet 安全区域默认禁用跨域请求)。
Opera 不支持 CORS。第 12 个版本将支持它,但这不是一个选项,因为用户应该首先采用这个新版本,这不会在 2 天内。
我需要进行跨域请求,因为 Web 客户端应用程序必须请求位于另一个域中的 RESTful 服务层。没门。
将所有内容都切换到 HTTPS 会使服务层代理方法再次起作用(这是预期的行为)。
Thanks anyway because both answer have helped me a lot for arriving to this conclusion.
无论如何,谢谢,因为这两个答案对我得出这个结论有很大帮助。
UPDATE
更新
@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
@Sam 添加了任何人都可能感兴趣的评论。这是关于如何在 Internet Explorer 8 和 9 中获取 CORS(参见 #7):http: //blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds。 aspx
回答by PiTheNumber
I am using Access-Control-Allow-Origin. You just send the header and you are fine.
我正在使用Access-Control-Allow-Origin。您只需发送标题就可以了。
See also AJAX, Subdomains, and SSL
另请参阅AJAX、子域和 SSL
回答by hugomg
You should reconsider accessing the whole page over HTTPS or at least be really sure this is not feasible.
您应该重新考虑通过 HTTPS 访问整个页面,或者至少要确定这是不可行的。
By loading the initial page and script over HTTP the user has no security guarantee that the script is the one you originally intended to send and is not being manipulated by a third party (by, for example, keylogging his password). This means that any HTTPS request that bypasses the SOP will not provide the same security guarantees as a HTTPS request from a page originally served over HTTPS.
通过通过 HTTP 加载初始页面和脚本,用户无法保证脚本是您最初打算发送的脚本并且没有被第三方操纵(例如,通过键盘记录他的密码)。这意味着任何绕过 SOP 的 HTTPS 请求都不会提供与来自最初通过 HTTPS 提供服务的页面的 HTTPS 请求相同的安全保证。
回答by Matt Newell
Has anyone looked at:
有没有人看过:
https://github.com/jpillora/xdomain
https://github.com/jpillara/xdomain
It uses postMessage and iframes to achieve cors requests, and is cross browser (no need for teeth clenching XDomainRequests in IE).
它使用 postMessage 和 iframes 来实现 cors 请求,并且是跨浏览器的(不需要在 IE 中咬牙切齿的 XDomainRequests)。
Perhaps it will allow cross protocol cors requests?
也许它会允许跨协议 cors 请求?
