更新时间:2023-01-09 07:49:11
这是设计。您不能使用XMLHttpRequest向其他服务器发出任意HTTP请求,除非该服务器允许通过为请求的主机发出Access-Control-Allow-Origin标头。
This is by design. You can't make an arbitrary HTTP request to another server using XMLHttpRequest unless that server allows it by putting out an Access-Control-Allow-Origin header for the requesting host.
https://developer.mozilla.org/en-US/docs/ Web / HTTP / Access_control_CORS
您可以在脚本标签中检索它(脚本和图像和样式表没有相同的限制),但除非
You could retrieve it in a script tag (there isn't the same restriction on scripts and images and stylesheets), but unless the content returned is a script, it won't do you much good.
这里有一个关于CORS的教程:
Here's a tutorial on CORS:
这些都是为了保护最终用户而完成的。假设一个图像实际上是一个图像,一个样式表只是一个样式表,一个脚本只是一个脚本,请求来自另一个服务器的资源不能真的做任何的伤害。
This is all done to protect the end user. Assuming that an image is actually an image, a stylesheet is just a stylesheet and a script is just a script, requesting those resources from another server can't really do any harm.
但是一般来说,跨原始请求可能会做很糟糕的事情。说你,Zoltan,正在使用coolsharks.com。另请注意,您已登录mybank.com,并且您的浏览器中有一个mybank.com的cookie。现在,假设coolsharks.com向mybank.com发送一个AJAX请求,要求将所有的钱转入另一个帐户。因为你存储了一个mybank.com cookie,所以他们成功地完成了这个请求。所有这一切都没有您的知识,因为没有页面重新加载发生。这是允许一般跨站点AJAX请求的危险。
But in general, cross-origin requests can do really bad things. Say that you, Zoltan, are using coolsharks.com. Say also that you are logged into mybank.com and there is a cookie for mybank.com in your browser. Now, suppose that coolsharks.com sends an AJAX request to mybank.com, asking to transfer all your money into another account. Because you have a mybank.com cookie stored, they successfully complete the request. And all of this happens without your knowledge, because no page reload occurred. This is the danger of allowing general cross-site AJAX requests.
如果要执行跨站点请求,您有两个选项:
If you want to perform cross-site requests, you have two options:
或
In(1 ),您必须与正在请求的服务器进行合作,并且在(2)中,必须控制最终用户的浏览器。如果你不能完成(1)或(2),你几乎没有运气。
In (1), you must have the cooperation of the server you are making requests to, and in (2), you must have control over the end user's browser. If you can't fulfill (1) or (2), you're pretty much out of luck.
然而,有一个第三个选项(由charlietfl指出)。您可以从控制的服务器发出请求,然后将结果传回您的页面。例如
However, there is a third option (pointed out by charlietfl). You can make the request from a server that you do control and then pass the result back to your page. E.g.
<script>
$.ajax({
type: 'GET',
url: '/proxyAjax.php?url=http%3A%2F%2F***.com%2F10m',
dataType: 'text/html',
success: function() { alert("Success"); },
error: function() { alert("Error"); }
});
</script>
然后在您的服务器上,最简单:
And then on your server, at its most simple:
<?php
// proxyAjax.php
// ... validation of params
// and checking of url against whitelist would happen here ...
// assume that $url now contains "http://***.com/10m"
echo file_get_contents($url);
当然,这种方法可能会遇到其他问题:
Of course, this method may run into other issues:
我确定还有其他的。但是如果没有一个问题阻止它,这第三种方法可以很好地工作。
I'm sure there are others. But if none of those issues prevent it, this third method could work quite well.