更新时间:1970-01-01 07:56:18
在总之,所有的AJAX请求(和交叉窗口脚本)都受到了的同源策略。 JSONP( JSON与填充)不受同源策略,因为它涉及到添加从外部域到DOM脚本,脚本本身包含对已经存在的客户端上,以JSON作为函数调用的参数已知函数的调用。
In short, all AJAX requests (and cross-window scripting) are subject to the Same Origin Policy. JSONP (JSON with Padding) isn't subject to the Same Origin Policy because it involves adding a script from an external domain to the DOM, the script itself contains a call to a known function that already exists on the client, with the JSON as the function call's argument.
JSONP不能直接返回HTML或XML,但它可以通过包含HTML或XML数据,进而可以添加到DOM或由客户端解析的串的对象。
JSONP can't return HTML or XML directly, but it could pass an object that contains a string of HTML or XML data, which in turn could be added to the DOM or parsed by the client.
例如,JSONP可能会返回:
For instance, a JSONP might return:
jsonp_callback({"Errors":"none","Data":"<div id='externalWidget'>Hello!</div>"});
在这个脚本添加到页面,功能 jsonp_callback
将与JSON对象作为参数执行。这个函数会再添加HTML code页面。
When this script is added to the page, the function jsonp_callback
will be executed with the JSON object as its argument. That function would then add the HTML code to the page.
有实现你想要什么的其他方式。例如,如果客户端不需要操纵以任何方式的数据,可以提供通过将由客户的页面的iFrame一个HTML文档小窗口:
There are other ways of achieving what you want. For instance, if the client doesn't need to manipulate the data in any way, you could provide a widget via a HTML document that would be iframed by your client's page:
<iframe id="widget" src="http://mysite.com/widget/v1/" />
如果他们需要操作的数据,他们将阻止同源策略如上文所述。
If they did need to manipulate the data, they would blocked by the Same Origin Policy as outlined above.