Add the Access-Control-Allow-Origin header from the server

从服务器添加 Access-Control-Allow-Origin 标头

Access-Control-Allow-Origin: https://www.mysite.com

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

Try JSONP.

试试 JSONP。

most JS libraries make it just as easy as other AJAX calls, but internally use an iframe to do the query.

大多数 JS 库使它像其他 AJAX 调用一样简单，但在内部使用 iframe 来执行查询。

if you're not using JSON for your payload, then you'll have to roll your own mechanism around the iframe.

如果您没有将 JSON 用于有效负载，那么您必须围绕 iframe 滚动您自己的机制。

personally, i'd just redirect form the http:// page to the https:// one

就个人而言，我只是将 http:// 页面重定向到 https:// 页面

http://example.com/may resolve to a different VirtualHost than https://example.com/(which, as the Host header is not sent, responds to the default for that IP), so the two are treated as separate domains and thus subject to crossdomain JS restrictions.

http://example.com/可能会解析为与https://example.com/不同的 VirtualHost （由于未发送 Host 标头，因此会响应该 IP 的默认值），因此将两者视为单独的域，因此受跨域 JS 限制。

JSON callbacksmay let you avoid this.

JSON 回调可以让您避免这种情况。

Check out the opensource Forge project. It provides a JavaScript TLS implementation, along with some Flash to handle the actual cross-domain requests:

查看开源 Forge 项目。它提供了一个 JavaScript TLS 实现，以及一些 Flash 来处理实际的跨域请求：

http://github.com/digitalbazaar/forge/blob/master/README

http://github.com/digitalbazaar/forge/blob/master/README

In short, Forge will enable you to make XmlHttpRequests from a web page loaded over http to an https site. You will need to provide a Flash cross-domain policy file via your server to enable the cross-domain requests. Check out the blog posts at the end of the README to get a more in-depth explanation for how it works.

简而言之，Forge 将使您能够将 XmlHttpRequest 从通过 http 加载的网页发送到 https 站点。您需要通过服务器提供 Flash 跨域策略文件以启用跨域请求。查看自述文件末尾的博客文章，以获得有关其工作原理的更深入的解释。

However, I should mention that Forge is better suited for requests between two different https-domains. The reason is that there's a potential MiTM attack. If you load the JavaScript and Flash from a non-secure site it could be compromised. The most secure use is to load it from a secure site and then use it to access other sites (secure or otherwise).

但是，我应该提到 Forge 更适合两个不同 https 域之间的请求。原因是存在潜在的 MiTM 攻击。如果您从非安全站点加载 JavaScript 和 Flash，则可能会受到损害。最安全的用途是从安全站点加载它，然后使用它访问其他站点（安全或其他）。

You could attempt to load the the https page in an iframe and route all ajax requests in/out of the frame via some bridge, it's a hackaround but it might work (not sure if it will impose the same access restrictions given the secure context). Otherwise a local http proxy to reroute requests (like any cross domain calls) would be the accepted solution.

您可以尝试在 iframe 中加载 https 页面并通过某个网桥将所有 ajax 请求路由进/出框架，这是一种hackaround但它可能会起作用（不确定它是否会施加相同的访问限制给定安全上下文） . 否则，重新路由请求（如任何跨域调用）的本地 http 代理将是可接受的解决方案。

Here's what I do:

这是我所做的：

Generate a hidden iFrame with the data you would like to post. Since you still control that iFrame, same origin does not apply. Then submit the form in that iFrame to the ssl page. The ssl page then redirects to a non-ssl page with status messages. You have access to the iFrame.

使用您要发布的数据生成隐藏的 iFrame。由于您仍然控制该 iFrame，因此同源不适用。然后将该 iFrame 中的表单提交到 ssl 页面。ssl 页面然后重定向到带有状态消息的非 ssl 页面。您可以访问 iFrame。