访问被拒绝。请求安全页面时出现 JavaScript 错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4887920/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Access is denied. JavaScript error on request to secured page
提问by ihorko
On page SomePage.aspx, by JavaScript code (XMLHttpRequest) I call SecuredPage.aspxused next code:
在页面上SomePage.aspx,通过 JavaScript 代码 (XMLHttpRequest) 我调用SecuredPage.aspx使用的下一个代码:
var httpRequest = GetXmlHttp();
var url = "https://myhost.com/SecuredPage.aspx";
var params = "param1=" + document.getElementById('param1').value +
"¶m2=" + document.getElementById('param2').value;
httpRequest.open("POST", url, true);
httpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
httpRequest.onreadystatechange = function() {
//Call a function when the state changes.
if (httpRequest.readyState == 4 && httpRequest.status == 200) {
alert(httpRequest.responseText);
}
}
httpRequest.send(params); // HERE ACCESS IS DENIED.
//---------------------------------------------
function GetXmlHttp() {
var xmlhttp = false;
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
}
else if (window.ActiveXObject)
// Code for Internet Explorer.
{
try {
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e) {
try {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp = false;
}
}
}
return xmlhttp;
}
It throws an Access is deniederror. If send to http (http://myhost.com/SecuredPage.aspx), it works fine.
它引发访问被拒绝错误。如果发送到 http (http://myhost.com/SecuredPage.aspx),它工作正常。
How is it possible to resolve this problem?
如何解决这个问题?
回答by Martin Jespersen
If you wish to fetch an HTTPSpage via Ajax you need to do it from an HTTPS page on the same domain, there is no other way, as long as you use Ajax. This is because of the same origin policy.
如果您希望通过 Ajax获取HTTPS页面,您需要从同一域中的 HTTPS 页面执行此操作,没有其他方法,只要您使用 Ajax。这是因为同源策略。
That said, there are plenty of ways to do this not using Ajax, for instance you can use frames.
也就是说,有很多方法可以不使用 Ajax 来做到这一点,例如您可以使用 frames。
Another way is to use JSONP, but this requires that you are fetching, well, JSON :)
另一种方法是使用JSONP,但这需要您获取 JSON :)
A third way, that tends not to be very useful for production websites, but still can be fun to tinker around with, is to use YQLas a proxy.
第三种方法,对于生产网站来说往往不是很有用,但仍然可以很有趣地修补,是使用YQL作为代理。
Lastly you can always set up a serverside proxy of your own, so that you call an HTTP address that fetches the HTTPS page and sends it on, but this is rarely a good solution if it can be avoided.
最后,您始终可以设置自己的服务器端代理,以便您调用获取 HTTPS 页面并将其发送的 HTTP 地址,但如果可以避免,这很少是一个好的解决方案。
回答by Victor
This is because the browser considers httpand httpsas 2 different sites/domains, and therefore you have to adhere to the same origin policy.
这是因为浏览器将http和https视为 2 个不同的站点/域,因此您必须遵守同源策略。
Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.
One way to solve it is using jsonp.
解决它的一种方法是使用 jsonp。
回答by Surreal Dreams
As it's been said, your problem is that your browser sees this as a cross domain request. Another way to accommodate this is to set up a crossdomain.xml file like this:
如前所述,您的问题是您的浏览器将此视为跨域请求。另一种适应这种情况的方法是设置一个 crossdomain.xml 文件,如下所示:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="myhost.com" />
<allow-access-from domain="ourhost.com" />
<site-control permitted-cross-domain-policies="master-only" />
</cross-domain-policy>
I'm notan expert on this method, but I have used it successfully. Other domains can be added by adding more allow-access-fromtags. You may need to do some fiddling. YMMV.
我不是这种方法的专家,但我已经成功地使用了它。可以通过添加更多allow-access-from标签来添加其他域。你可能需要做一些摆弄。天啊。
