javascript 从 HTTP 到 HTTPS 的跨域请求立即中止
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11690191/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross domain request from HTTP to HTTPS aborts immediately
提问by Halcyon
I'm trying to make Cross-Domain webservice calls from an HTTP page to an HTTPS service.
我正在尝试从 HTTP 页面到 HTTPS 服务进行跨域 web 服务调用。
I have set up the proper CORS headers on the server (it works with HTTP-HTTP and HTTPS-HTTPS).
我已经在服务器上设置了正确的 CORS 标头(它适用于 HTTP-HTTP 和 HTTPS-HTTPS)。
It doeswork if I change the requests to JSONp.
如果我将请求更改为 JSONp,它确实有效。
What I'm seeing in Chrome and Firefox is the HTTPS request is never sent, it's immediately aborted, and the server never sees the request.
我在 Chrome 和 Firefox 中看到的是 HTTPS 请求从未发送,它立即中止,并且服务器从未看到该请求。
It is worth noting that the preflight OPTIONSrequest is aborted (and it doesn't reach the server).
值得注意的是,预检OPTIONS请求被中止(并且它没有到达服务器)。
I can't find any source that explains that this is indeed not possible (HTTP to HTTPS) and better yet: explains why. I can understand HTTPS to HTTP is unsafe, but the othe way around should be fine right? It seems silly to me because JSONp works (but it's messy).
我找不到任何来源来解释这确实是不可能的(HTTP 到 HTTPS)并且更好:解释为什么. 我可以理解 HTTPS 到 HTTP 是不安全的,但其他方式应该没问题吧?这对我来说似乎很愚蠢,因为 JSONp 可以工作(但它很乱)。
notes
笔记
I also have withCredentialsset to trueand I'm sending some custom headers and a custom Content-Type: application/json
我也withCredentials设置为true并且我正在发送一些自定义标头和一个自定义Content-Type:application/json
I'm using the regular XMLHTTPRequest with fallbacks to JSONp for IE<=9
我正在使用常规的 XMLHTTPRequest 并回退到 IE<=9 的 JSONp
采纳答案by Halcyon
Ok, I figured it out. The certificate I'm using for the HTTPS domain is self-signed and unverified. Adding it to the list of trusted third-party authorities fixed it for me.
好的,我想通了。我用于 HTTPS 域的证书是自签名的且未经验证。将它添加到受信任的第三方机构列表中为我修复了它。
You can install the certificate in Windows 7 through IE. This worked for me:
http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5Dpost by zacharysyoung 2/11/09Make sure you run IE(9) as administratoror the install will fail even-though it says it installed it correctly.
您可以通过 IE 在 Windows 7 中安装证书。这对我有用:http:
//productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D发布者zacharysyoung 2/11/09确保以管理员身份运行 IE(9)否则安装将失败- 虽然它说它安装正确。
- Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
- IE should display a page warning that, 'There is a problem with this web site's security certificate.'
- Click the, 'Continue to this website (not recommended)' link.
- Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
- A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
- Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
- The 'Certificate Import Wizard' will be started. Click the 'Next' button.
- ** For XP: a. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button. ** For Vista: a. Choose 'Place all certificates in the following store' option, and click the 'Browse' button. b. Click the 'Show physica stores' checkbox. c. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button. d. Click the 'Next' button.
- This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
- A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
- A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
- Restart/Open Chrome and navigate to the site in question. You should notbe greeted by the security warning page.
- 打开 Internet Explorer (IE) 并导航到托管自签名证书的站点。
- IE 应该显示一个页面警告,“此网站的安全证书有问题”。
- 单击“继续访问此网站(不推荐)”链接。
- 页面加载后,查看地址栏的右侧。标有“证书错误”的红色/粉红色按钮应该是可见的。单击该按钮。
- 将出现一个标题为“不受信任的证书”的弹出窗口。单击弹出窗口底部的“查看证书”链接。
- 将出现另一个标题为“证书”的弹出窗口。单击“安装证书...”按钮。
- “证书导入向导”将启动。单击“下一步”按钮。
- ** 对于 XP:保持“自动选择证书...”选项处于选中状态,然后单击“下一步”按钮。** 对于 Vista:选择“将所有证书放入以下存储区”选项,然后单击“浏览”按钮。湾 单击“显示物理商店”复选框。C。展开“第三方根证书颁发机构”文件夹,然后选择“本地计算机”。单击“确定”按钮。d. 单击“下一步”按钮。
- 这应该会显示“正在完成证书导入向导”对话框。单击“完成”按钮。
- 将出现“安全警告”弹出窗口。该警告通知您实际上无法验证证书的来源。您应该知道证书的来源。如果这样做,请单击“是”按钮以安装证书。
- 将显示最后一个弹出窗口,通知您“导入成功”。单击“确定”按钮。
- 重新启动/打开 Chrome 并导航到相关站点。您不应该受到安全警告页面的欢迎。
Aside from that, I think I may have discovered a bug in Chrome. See: https://code.google.com/p/chromium/issues/detail?id=141839
除此之外,我想我可能在 Chrome 中发现了一个错误。请参阅:https: //code.google.com/p/chromium/issues/detail?id=141839
回答by SciSpear
It might be easier to setup something like easyXDM. It is rather quick to get going and will do all the backwards compatibility for you (all the way to IE6). It might not be the home-grown solution you are looking for but if you want cross-domain (where you have access to both sides) in a hurry it fits the bill.
设置像easyXDM这样的东西可能更容易。它很快就会开始,并且会为你做所有的向后兼容性(一直到 IE6)。它可能不是您正在寻找的本土解决方案,但如果您想快速跨域(您可以访问双方),它符合要求。
You could always write your own iframe (postMessage) interface but why re-invent the wheel (and don't forget to set your document.domain if you are using different sub-domains).
您总是可以编写自己的 iframe (postMessage) 界面,但为什么要重新发明轮子(如果您使用不同的子域,请不要忘记设置您的 document.domain)。
