是否有可能利用跨站点XMLHtt prequest有可能、站点、prequest、XMLHtt
从JavaScript跨站点XMLHtt prequest能不能做到?
Cross Site XMLHttpRequest from JavaScript can it be done?
我理解的局限性,为什么它不是一般能正常工作,但火狐3.5的就有
I understand the limitations and why it is not generally able to work, but as of firefox 3.5 there is the
访问控制 - 允许 - 产地:*
这是应该允许这个工作。
which is supposed to allow this to work.
它告诉服务器不关心,如果该请求是从没有服务于一个页面域发送给它的浏览器。
It tells the browser that the server does not care if the request is sent to it from a domain that did not serve the page.
在code我现在用的就是以下。
The code I am using is below.
function sendData(webservicePayload, callbackFunction) {
var request = null;
if (!window.XMLHttpRequest) { // code for IE
try {
request = new ActiveXObject('Msxml2.XMLHTTP');
} catch (e) {
try {
request = new ActiveXObject('Microsoft.XMLHTTP');
} catch (E) {
return 'Create XMLHTTP request IE';
}
}
} else { // code for Mozilla, etc.
request = new XMLHttpRequest();
}
/*
* Setup the callback function
*/
request.onreadystatechange = function() {
if (request.readyState == 4 && request.status < 300) {
eval(callbackFunction);
}
};
if (!request) {
nlapiLogExecution('ERROR', 'Create XMLHTTP request', 'Failed');
return;
}
/*
* Setup the request headers
*/
request.open('POST','http://www.another.domain.co.uk/webservice.asmx', true);
request.setRequestHeader('Man','POST http://www.another.domain.co.uk/webservice.asmx HTTP/1.1');
request.setRequestHeader('MessageType', 'CALL');
request.setRequestHeader('Content-Type', 'text/xml; charset="utf-8"');
request.setRequestHeader('Cache-Control', 'no-cache');
request.setRequestHeader("X-Requested-With", "XMLHttpRequest");
request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
request.setRequestHeader('SOAPAction','http://www.another.domain.co.uk/WebService/eService');
request.send(webservicePayload);
}
这是发送正确的请求头
请求
OPTIONS /webservice.asmx HTTP/1.1
Host: www.another.domain.co.uk
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Origin: https://my.domain.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: cache-control,content-type,man,messagetype,soapaction
Pragma: no-cache
Cache-Control: no-cache
和收到预期的响应头
响应
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/5.1
Date: Wed, 14 Dec 2011 13:43:27 GMT
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html
Content-Length: 44
正如你所看到的由来被指定在请求和服务器响应接受任何(*)领域。
As you can see the Orgin is specified in the request and the server responds with acceptance of any ("*") domain.
为什么会出现禁止403,因为我觉得这一切,我所做的是正确的,我不能工作了,为什么?
Why am I getting "Forbidden 403" as I feel that everything I have done is correct, I can't work out why?
是其他任何人得到这个?
Is anyone else getting this?
你知道是什么原因造成的呢?
Do you know what is causing it?
推荐答案
一个CORS请求实际上由两个物理HTTP请求:1)preflight的要求,和2)实际的请求。你上面贴的请求看起来像preflight的要求,因为它是使用HTTP OPTIONS方法。所以,你必须做的第一件事就是验证您的服务器接受请求选项(我相信这应该只是工作,但它可以解释为何会收到一个403)。
A CORs request actually consists of two physical HTTP requests: 1) The preflight request, and 2) the actual request. The request you posted above looks like the preflight request, since it is uses the HTTP OPTIONS method. So the first thing you have to do is verify that your server accepts OPTIONS requests (I believe this should just work, but it may explain why you are receiving a 403).
接下来,你需要一个有效的preflight响应。到preflight请求的响应也必须包含以下两个标题:
Next, you need a valid preflight response. The response to a preflight request must also contain the following two headers:
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Origin,cache-control,content-type,man,messagetype,soapaction
(见这些响应头是如何访问控制请求,方法和访问控制请求报头请求头的回声)。在访问控制,允许报头报头应该包含任何自定义请求头。
(See how these response headers are an echo of the Access-Control-Request-Method and Access-Control-Request-Headers request headers). The Access-Control-Allow-Headers header should contain any custom request headers.
在浏览器接收该响应,它知道preflight请求已被接受,它使实际的请求。在实际的要求,你只需要下面的头:
Once the browser receives this response, it knows that the preflight request has been accepted, and it makes the actual request. On the actual request, you only need the following header:
Access-Control-Allow-Origin: *
您可以了解更多关于preflight请求和处理CORS请求在这里: HTTP:/ /www.html5rocks.com/en/tutorials/cors/
You can learn more about preflight requests and handling CORS requests here: http://www.html5rocks.com/en/tutorials/cors/
