通过https网站与localhost上的http服务器进行通信,跨域
[英]Communicating from https website to http server on localhost, cross-domain
问题描述
So I have a GWT webapp that needs to communicate with a desktop application. 
所以我有一个需要与桌面应用程序通信的GWT webapp。 To accomplish this, the desktop program starts up a webserver at a given port (say, http://localhost:9000 ). 为此,桌面程序在给定端口启动Web服务器(例如, http://localhost:9000 )。
I have implemented JSON-P communication to get around the Cross-Domain filters, which works fine when testing locally (webapp runs at http://localhost:8888 ). 我已经实现了JSON-P通信来绕过跨域过滤器,这在本地测试时工作正常(webapp运行在http://localhost:8888 )。 The problem is, the production website is served over https, and no browser will allow you to request javascript over http from https. 问题是,生产网站是通过https提供的,没有浏览器允许您通过https从http请求javascript。
So I've tried a few things. 所以我尝试了一些东西。
I have set the "Access-Control-Origin: *" header using Java's HttpServletResponse.addHeader("Access-Control-Allow-Origin", "*") on both the server that serves the GWT javascript and the server that the javascript is trying to make requests to, and making HTTP requests, but that gets blocked by same origin filters (presumable because I'm trying to make request from https to http.) 我在服务于GWT javascript的服务器和javascript所在的服务器上使用Java的HttpServletResponse.addHeader("Access-Control-Allow-Origin", "*")设置了“Access-Control-Origin:*”标头。尝试向HTTP请求发出请求,但是这些请求被相同的原始过滤器阻止(因为我正在尝试从https向http发出请求)。
I have tried to use the Json-P communication from a new Window (created by calling $wnd.open) without a URL hoping that it would load over http, but it is loaded over https, so I ran into the same problem as before. 我试图从一个新窗口(通过调用$ wnd.open创建)中使用Json-P通信而没有URL希望它会加载http,但它是通过https加载的,所以我遇到了和以前一样的问题。
Is there any way to make a cross domain request from javascript served over https to http? 有没有办法从通过https到http的javascript提出跨域请求? There isn't any feasible way to run https on the localhost (self-signed cert gets blocked when making JSON-P requests.) 没有任何可行的方法在localhost上运行https(在签署JSON-P请求时,自签名证书被阻止。)
1 个解决方案
解决方案1
1 2017-08-17 16:19:46
Assuming that the computer you are deploying to has internet access, the best solution to this problem is to register a subdomain on your main site where the webapp is hosted (for example, localhost.example.com) and setup the DNS entries to point to 127.0.0.1 . 假设您部署的计算机具有Internet访问权限,此问题的最佳解决方案是在托管webapp的主站点上注册子域(例如,localhost.example.com)并设置DNS条目以指向127.0.0.1。 You can then get a signed https certificate for localhost.example.com and distribute that certificate with your application. 然后,您可以获取localhost.example.com的已签名https证书,并将该证书与您的应用程序一起分发。
Words of warning: 警告语:
- Because the certificate is distributed with your application, it isn't secret, so make sure not to provide a certificate for *.example.com or anything silly like that. 因为证书是随您的应用程序一起分发的,所以它并不是秘密,因此请确保不要为* .example.com或类似的任何内容提供证书。 Fortunately, an attacker needs to run a server on the local machine to exploit it, in which case they already have access to all of your cookies and stuff. 幸运的是,攻击者需要在本地计算机上运行服务器才能利用它,在这种情况下,他们已经可以访问您的所有cookie和内容。
- If/when your certificate expires, things could break. 如果/当证书过期时,事情可能会中断。 This may require having your client app download the certificate from your web server. 这可能需要让您的客户端应用程序从您的Web服务器下载证书。 The security implications of this should be no worse than distributing it in the binary. 这种安全含义应该不比在二进制文件中分发它更糟糕。
- If you are very security-sensitive, using an entirely separate domain (localhostexample.com) could protect against future exploits or bugs. 如果您对安全性非常敏感,则使用完全独立的域(localhostexample.com)可以防止未来的漏洞或漏洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.