This is what we did for IE.

这就是我们为 IE 所做的。

If you have control over the target domain, host a (static) html file there. Include the html using the iframe.

如果您可以控制目标域，请在那里托管一个（静态）html 文件。使用 iframe 包含 html。

Now this iframe does actually have access to the local domain, so you can communicate between the parent and child frame to get what you need.

现在这个 iframe 确实可以访问本地域，因此您可以在父框架和子框架之间进行通信以获得所需的内容。

This worked muchbetter than XDomainRequest for us.

这个工作很多优于XDomainRequest我们。

window.postMessageis the best way to setup the communication:

window.postMessage是设置通信的最佳方式：

But I'm pretty sure that only started working since IE8. If you require older browsers as well, you must use a different hack.

但我很确定它从 IE8 开始就开始工作了。如果您还需要较旧的浏览器，则必须使用不同的 hack。

In our case, this was our 3-layer system:

在我们的例子中，这是我们的 3 层系统：

1. CORS, for browsers that support it
2. An iframe & window.postMessage as a primary fallback
3. A server-side proxy script as the secondary fallback

1. CORS，对于支持它的浏览器
2. 作为主要后备的 iframe 和 window.postMessage
3. 服务器端代理脚本作为辅助回退

All of these options work well, are reliable and didn't feel too much like a hack. The secondary fallback was barely ever used.

所有这些选项都运行良好，可靠并且感觉不太像黑客。次要后备几乎从未使用过。

Keep in mind that the 'Authentication' header specifically is special, and I would not be shocked that that's blocked under certain circumstances anyway. We added a custom header 'X-Authenticate' as it did pass through all the time.

请记住，“身份验证”标头特别特殊，无论如何在某些情况下被阻止我都不会感到震惊。我们添加了一个自定义标头“X-Authenticate”，因为它一直通过。

IE's XDomainRequest does not allow custom headers to be set. See item #3 here: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspxThe XDomainRequest object is locked down to the point where it is difficult to make authenticated requests.

IE 的 XDomainRequest 不允许设置自定义标头。请参阅此处的第 3 项：http: //blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspxXDomainRequest 对象被锁定到它所在的位置很难发出经过身份验证的请求。