简体繁体 English

使用IE11 +访问的CORS使用SSL拒绝访问localhost

[英]CORS with IE11+ Access Denied with SSL to localhost

原文 2014-04-21 20:21:29 6 2 javascript/ ajax/ internet-explorer/ ssl/ cors

The Very Short Version: is anybody successfully requesting local resources via AJAX, in IE, over SSL? 非常短版本：是否有人通过AJAX在IE中通过SSL成功请求本地资源？ I cannot solve getting an "access denied" error. 我无法解决获得“拒绝访问”错误的问题。

The Longer Version: 更长的版本：

I am using AJAX to retrieve JSON from an application that runs a local web service. 我正在使用AJAX从运行本地Web服务的应用程序中检索JSON。 The web service channel is encrypted so that if the remote site is being served over HTTPS, no "insecure resource on a secure page" errors appear. Web服务通道已加密，因此，如果通过HTTPS提供远程站点，则不会出现“安全页面上的不安全资源”错误。

So, in the address bar is a remote site of some sort... mysite.com. 所以，在地址栏中是一个某种类型的远程站点...... mysite.com。 It is receiving information from https://localhost/ . 它从https://localhost/接收信息。

The web service is setting correct headers for CORS and everything works in Chrome and Firefox. Web服务正在为CORS设置正确的标头，并且所有内容都适用于Chrome和Firefox。 In IE, if I put my https://localhost resource into the address bar, the correct resource is returned and displayed. 在IE中，如果我将https://localhost资源放入地址栏，则会返回并显示正确的资源。 However, when using AJAX (not just the address bar), a security setting in IE is denying access. 但是，当使用AJAX（不仅仅是地址栏）时，IE中的安全设置拒绝访问。 This is documented (in part) here: 这在（部分）记录在这里：

Access denied in IE 10 and 11 when ajax target is localhost 当ajax目标是localhost时，IE 10和11中的访问被拒绝

The only proper solution in one reply is to add the requesting domain (mysite.com in this case) to the trusted sites. 一个回复中唯一合适的解决方案是将请求域（在本例中为mysite.com）添加到受信任的站点。 This works, but we would prefer to not have user intervention... pointing to a knowledge base article on how to add a trusted site is hardly a great user experience. 这有效，但我们宁愿没有用户干预......指向如何添加可信站点的知识库文章几乎不是一个很好的用户体验。 The other replies to that question are invalid for the same reasons as below--> 对于该问题的其他回复是无效的，原因如下 - >

Some more stumbling around and I discovered this: 一些更绊脚石，我发现了这个：

CORS with IE, XMLHttpRequest and ssl (https) CORS与IE，XMLHttpRequest和ssl（https）

Which had a reply containing a wrapper for AJAX requests in IE. 其中包含一个回复，其中包含IE中AJAX请求的包装器。 It seemed promising, but as it turns out, IE11 has now deprecated the XDomainRequest API. 它似乎很有希望，但事实证明，IE11现在已经弃用了XDomainRequest API。 This was probably the right thing for Microsoft to do... but now the "hack" workaround of adding a void onProgress handler to the XDR object is obviously not an option and the once-promising workaround wrapper is rendered null and void. 对于微软而言，这可能是正确的做法......但是现在向XDR对象添加void onProgress处理程序的“黑客”解决方法显然不是一种选择，而且曾经很有前途的解决方法包装器被渲染为无效。

Has anybody come across either: 有没有人遇到过：

a) a way to get those requests through without needing to modify the trusted sites in IE? a）一种获取这些请求而无需修改IE中可信站点的方法？ In other words, an updated version of the workaround in the second link? 换句话说，第二个链接中的变通方法的更新版本？

b) as a "next best" case: a way to prompt the user to add the site to their trusted zone? b）作为“次佳”案例：提示用户将站点添加到其受信任区域的方法？ "mysite.com wishes to be added to your trusted zones. Confirm Yes/No" and have it done, without them actually needing to open up their native settings dialogues and doing it manually? “mysite.com希望被添加到您的受信任区域。确认是/否”并完成它，没有他们实际需要打开他们的本机设置对话并手动完成它？

2 个解决方案

For security reasons, Internet Explorer's XDomainRequest object blocks access ( see #6 here ) to the Intranet Zone from the Internet Zone. 出于安全原因，Internet Explorer的XDomainRequest对象阻止从Internet区域访问Intranet区域（请参阅此处的＃6 ）。 I would not be surprised to learn that this block was ported into the IE10+ CORS implementation for the XMLHTTPRequest object. 我不会惊讶地发现这个块被移植到XMLHTTPRequest对象的IE10 + CORS实现中。

One approach which may help is to simply change from localhost to 127.0.0.1 as the latter is treated as Internet Zone rather than Intranet Zone and as a consequence the zone-crossing is avoided. 一种可能有用的方法是简单地从localhost更改为127.0.0.1因为后者被视为Internet Zone而不是Intranet Zone ，因此避免了区域交叉。

However, you should be aware that Internet Explorer 10+ will block all access to the local computer (via any address) when a site is running in Enhanced Protected Mode (EPM)-- see "Loopback blocked" in this post . 但是，您应该知道，当站点在增强保护模式（EPM）下运行时，Internet Explorer 10+将阻止对本地计算机的所有访问（通过任何地址） - 请参阅此帖子中的 “Loopback blocked”。 Currently, IE uses EPM only for Internet sites when run in the Metro/Immersive browsing mode (not in Desktop) but this could change in the future. 目前，IE在Metro / Immersive浏览模式（不在桌面模式下）运行时仅对Internet站点使用EPM，但这可能在将来发生变化。

No, there's no mechanism to show the Zones-Configuration UI from JavaScript or to automatically move a site from one zone to another. 不，没有机制可以从JavaScript显示区域配置UI或自动将站点从一个区域移动到另一个区域。 However, the fact that you have a local server implies that you are running code on the client already, which means you could use the appropriate API to update the Zone Mapping on the client. 但是，您拥有本地服务器这一事实意味着您已在客户端上运行代码，这意味着您可以使用适当的API更新客户端上的区域映射。 Note that such a change requires that you CLEARLY obtain user permission first, lest your installer be treated as malware by Windows Defender and other security products. 请注意，此类更改要求您首先明确获取用户权限，以免Windows Defender和其他安全产品将您的安装程序视为恶意软件。

So, in summary, using the IP address should serve as a workaround for many, but not all platforms. 因此，总之，使用IP地址应该作为许多但不是所有平台的解决方法。

Since those are two different domains, one solution would be to create an application which proxies the requests in the direction you want. 由于这些是两个不同的域，因此一种解决方案是创建一个应用程序，以便按照您想要的方向代理请求。

If you have control over the example.com end, and want to support users who bring their own localhost service, this would be harder, as you would have to provide more requirements for what they bring. 如果您可以控制example.com端，并希望支持带有自己的localhost服务的用户，那么这将更难，因为您必须为他们带来的内容提供更多要求。

If however, you have control over what runs in localhost, and want to access example.com, and have it access the localhost service, set up redirection in your web server of preference, or use a reverse proxy. 但是，如果您可以控制localhost中运行的内容，并希望访问example.com，并让它访问localhost服务，请在首选的Web服务器中设置重定向，或使用反向代理。 You could add an endpoint to the same localhost app which doesn't overlap paths, for example, route http://localhost/proxy/%1 to http://%1 , leaving the rest of localhost alone. 您可以将端点添加到不与路径重叠的同一localhost应用程序，例如，将http://localhost/proxy/%1路由到http://%1 ，而将其余的localhost单独保留。 Or, run a proxy on eg http://localhost:8080 which performs a similar redirection, and can serve example.com from a path, and the API from another. 或者，在例如http://localhost:8080上运行代理，该代理执行类似的重定向，并且可以从路径提供example.com，从另一个提供API。

This winds up being a type of "glue" or integration code, which should allow you to mock interactions up to a point. 这最终成为一种“胶水”或集成代码，它应该允许您模拟交互到一定程度。