Here's the simple answer: chrome --disable-web-security

这是简单的答案：chrome --disable-web-security

From the source code (chrome_switches.h):

从源代码（chrome_switches.h）：

// Don't enforce the same-origin policy.  (Used by people testing their sites.)
const char kDisableWebSecurity[]            = "disable-web-security";

I wanted to use jquery.js to send AJAX calls to a Google Apps python server running on port 8080. Just for testing, I wanted to run the browser and the server on the same machine.

我想使用 jquery.js 向运行在端口 8080 上的 Google Apps python 服务器发送 AJAX 调用。只是为了测试，我想在同一台机器上运行浏览器和服务器。

I don't understand all the security nuances, but for temporary development it seems like a reasonable workaround. So long as I only use chrome for testing with this flag, it shouldn't be a problem.

我不明白所有的安全细微差别，但对于临时开发来说，这似乎是一个合理的解决方法。只要我只使用 chrome 来测试这个标志，就不会有问题。

Here's the whole command for Mac OS X:

这是 Mac OS X 的整个命令：

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security

We had the same need when developing our web app. Here's how we did it:

我们在开发 Web 应用程序时也有同样的需求。我们是这样做的：

The browser and the server communicate only through JSON.
All the HTML is rendered in the browser using PURE(our JS template engine).
The browser code is developed locally like this:

浏览器和服务器仅通过 JSON 进行通信。
所有 HTML 都使用PURE（我们的 JS 模板引擎）在浏览器中呈现。
本地开发的浏览器代码是这样的：

We add a hostparameter in the url of the app:

我们host在app的url中添加一个参数：

http://localhost/app.html?host=test.beebole-apps.com

In production, the JSON are sent to the server with a POST.
But here the function in charge of the ajax call will react to the hostparameter and make a JSONPinjection(GET) instead.

在生产中，JSON 通过 POST 发送到服务器。
但是这里负责 ajax 调用的函数将对host参数做出反应并进行JSONP注入（GET）。

<script src="http://test.beebole-apps.com/?callback=f2309892&json={...}" />

• f2309892is a temporary function, with a random name, that points to the method that will handle the response
• jsonis the JSON we send to the server

• f2309892是一个临时函数，具有随机名称，指向将处理响应的方法
• json是我们发送到服务器的 JSON

It means you will need some cooperation from the backend to serve you the json wrapped in a callback function like:

这意味着您需要后端的一些合作才能为您提供包裹在回调函数中的 json，例如：

f2309892( /*the json here*/ );

Except a size limitation(you can't send a big JSON to the server with a GET) it works like a breeze.
An other advantage is you can call all the different systems(development and test) from the same localhost.

除了大小限制（您不能使用 GET 将大 JSON 发送到服务器）之外，它的工作方式轻而易举。
另一个优点是您可以从同一个本地主机调用所有不同的系统（开发和测试）。

There are different ways to get around this, depending on which browser you're using for development. For example:

有多种方法可以解决此问题，具体取决于您用于开发的浏览器。例如：

• In Firefox (Gecko), set security.fileuri.strict_origin_policyto false
• In Chrome, start the browser with the option --allow-file-access-from-files

• 在 Firefox (Gecko) 中，设置security.fileuri.strict_origin_policy为false
• 在 Chrome 中，使用选项启动浏览器 --allow-file-access-from-files

References: Firefox, Chrome

参考资料：火狐、Chrome

Without touching the server -

不接触服务器 -

The quickest and easiest way to bypass the same origin security policy in Firefox is the install the Force CORS add-on. This works with any service by inserting the proper headers into every response.

在 Firefox 中绕过同源安全策略的最快和最简单的方法是安装 Force CORS 附加组件。通过在每个响应中插入正确的标头，这适用于任何服务。

https://addons.mozilla.org/en-US/firefox/addon/forcecors/

https://addons.mozilla.org/en-US/firefox/addon/forcecors/

localhost is not allowed to use in CORS http://code.google.com/p/chromium/issues/detail?id=67743use lvh.me instead

localhost 不允许在 CORS 中使用http://code.google.com/p/chromium/issues/detail?id=67743改用 lvh.me

I had that problem, too, using Chrome and the --allow-file-access-from-filesoption didn't really help. Back to the script my server needed to return, I added these headers to the response and it worked fine :

我也有这个问题，使用 Chrome 时该--allow-file-access-from-files选项并没有真正帮助。回到我的服务器需要返回的脚本，我将这些标头添加到响应中并且它工作正常：

'Access-Control-Allow-Origin: http://localhost/'

and another one for allowing a sort of key exchange

另一个允许进行某种密钥交换

'Access-Control-Allow-Headers: X-KEY'

try this (php curl ayax cross domain - by google):

试试这个（php curl ayax cross domain - by google）：

http://www.iacons.net/writing/2007/08/02/ajax-cross-domain-proxy/

http://www.iacons.net/writing/2007/08/02/ajax-cross-domain-proxy/

http://www.phpfour.com/blog/2008/03/cross-domain-ajax-using-php/

http://www.phpfour.com/blog/2008/03/cross-domain-ajax-using-php/

http://jquery-howto.blogspot.com/2009/04/cross-domain-ajax-querying-with-jquery.html

http://jquery-howto.blogspot.com/2009/04/cross-domain-ajax-querying-with-jquery.html

Since this is a development issue and not a end-user/functionality issue, rather than focusing on getting AJAX to cross domains get your development environment set up as a proxy to fetch the most recent data from the production servers. This is actually really easy to do.

由于这是一个开发问题而不是最终用户/功能问题，与其专注于让 AJAX 跨域，不如将您的开发环境设置为代理以从生产服务器获取最新数据。这实际上很容易做到。

You'd need to set up a web server in your dev environment (if it doesn't have one already), and then configure the server to respond to 404 requests by fetching and then echoing production data. You can set up your server so that only the AJAX data files are picked up (otherwise, it will be confusing to debug other files if production assets start showing up on your development pages). So if http://dev.myserver.com/data/json/mydata.jsonis missing, your 404 script will get http://prod.myserver.com/data/json/mydata.jsonand echo it to the client. The nice thing about this set-up is that you can use mock data very easily: if the file is there in your dev environment, your AJAX script will get that; but if you then erase or rename that file, you'll get the production data instead. This feature has been so useful I can't recommend it enough.

您需要在您的开发环境中设置一个 Web 服务器（如果它还没有），然后将服务器配置为通过获取然后回显生产数据来响应 404 请求。您可以设置您的服务器，以便仅选取 AJAX 数据文件（否则，如果生产资产开始出现在您的开发页面上，调试其他文件将令人困惑）。因此，如果http://dev.myserver.com/data/json/mydata.json缺少，您的 404 脚本将获取http://prod.myserver.com/data/json/mydata.json并将其回显给客户端。这个设置的好处是你可以很容易地使用模拟数据：如果文件在你的开发环境中，你的 AJAX 脚本就会得到它；但是如果您随后删除或重命名该文件，您将获得生产数据。这个功能非常有用，我不能推荐它。

If you're working with XML, I'd recommend duplicating the HTTP headers in the 404. If your 404 process responds with a Content-Typeof text/html, you won't get any responseXMLto parse.

如果您使用 XML，我建议您复制 404 中的 HTTP 标头。如果您的 404 进程以Content-Typeof响应text/html，您将无法responseXML解析。