[英]Same-origin Policy Specification
I have a javascript AJAX call made to a code behind function running on my server, which returns to the client script (that has initiated the call), a url (from a different Domain than mine) with a query ( http://www.web_server_url.com/my_query&callback= ?). 我对服务器上运行的函数背后的代码进行了javascript AJAX调用,该代码返回到客户端脚本(已发起调用),带有查询( http:// www的url)(来自与我不同的域) .web_server_url.com / my_query&callback = ?)。 After returning the call, the following JQuery code is executed ('specific_div' being an existing div in the page): 返回调用后,将执行以下JQuery代码(“ specific_div”是页面中的现有div):
$('#specific_div').load(returned_url);
Meanwhile, I obtain the following error message: 同时,我获得以下错误消息:
XMLHttpRequest cannot load http://www.web_server_url.com/my_query&callback=?. Origin http://localhost is not allowed by Access-Control-Allow-Origin.
Although I understand the same-origin policy, I do not quite understand why I am obtaining this error message in this scenario since the url is passed from my server. 尽管我了解同源策略,但是由于从服务器传递了URL,所以我不太了解为什么在这种情况下会收到此错误消息。 Shouldn't it be accepted by the browser, considering that its origin is from the same Domain (local host in this case), although it is contacting another Domain? 考虑到它的来源是同一域(在本例中为本地主机),尽管它正在与另一个域联系,但浏览器是否应该接受它?
Same origin means requested resource/information must be on the same domain (schema + host + port) as page. 相同的来源意味着请求的资源/信息必须与页面位于同一域(模式+主机+端口)。 It does not mean "url to resource provided by the origin server". 它并不意味着“ URL到达源服务器提供的资源”。
In your particular case you have page on "http://localhost"
and trying to request "http://www.web_server_url.com"
- scheme ("http") and port (80) match, but domain name does not ("localhost" vs. "www.web_server_url.com"). 在您的特定情况下,您在"http://localhost"
上有一个页面,并尝试请求"http://www.web_server_url.com"
-方案(“ http”)和端口(80)匹配,但域名不匹配( “本地主机”与“ www.web_server_url.com”)。
Note that error you see explains that you need to enable CORS on destination server for this particular request. 请注意,看到的错误说明您需要为此目标在目标服务器上启用CORS 。
If you don't own/control destination server (and hence can't use CORS or JSONP to securely communicate with other server client side) than you most generic option is proxy that request on your server. 如果您不拥有/控制目标服务器(因此无法使用CORS或JSONP与其他服务器客户端进行安全通信),则最通用的选择是在服务器上代理该请求。 Note that limits on what information you can use (ie you can't steal cookies set on the destination domain this way). 请注意,您可以使用哪些信息(即,您不能以这种方式窃取在目标域上设置的cookie)受到限制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.