使用Google Maps API时,为什么我没有收到“相同的原始政策”警告?
[英]Why don't I get a 'same origin policy' warning when using the Google Maps API?
问题描述
I'm making a RESTful web service call in my JavaScript page and get the following warning: 
我正在我的JavaScript页面中进行RESTful Web服务调用并收到以下警告:
"This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?" “这个页面正在访问不受其控制的信息。这会带来安全风险。你想继续吗?”
Now I've read up on this and am aware of the cross-domain, same origin policy . 现在我已经阅读了这篇文章并了解跨域,同源策略 。 However, I don't get such warnings when I consume other APIs like Google's Maps API. 但是,当我使用Google的Maps API等其他API时,我不会收到此类警告。 Clearly the domain is not the same as my local domain. 显然,域名与我的本地域名不同。 What is the difference? 有什么不同?
My initial guess is that Google is 'imported' into the page using the <script> tag while my REST consumption is using XMLHttpRequest. 我最初的猜测是,当我使用XMLHttpRequest时,使用<script>标签将Google“导入”到页面中。 IF that is the case, what is the difference between these two approaches that one would merit a warning and the other not? 如果是这样的话,这两种方法之间的区别是哪一种值得警告而另一种不值得?
2 个解决方案
解决方案1
6 已采纳 2009-05-29 14:17:56
The following might explain things: http://markmail.org/message/5wrphjwmo365pajy 以下内容可能会解释: http : //markmail.org/message/5wrphjwmo365pajy
Also, they employ some script hacks (eg inserting a script into the DOM to get requested data, instead of XHR). 此外,他们使用一些脚本黑客(例如,将脚本插入DOM以获取请求的数据,而不是XHR)。
解决方案2
1 2016-01-05 17:30:50
I would like to summarize what the solution was to this problem. 我想总结解决这个问题的方法。 You can find a helpful URL here . 您可以在此处找到有用的URL。
Essentially, you inject code through the pages <script> tag when importing JavaScript. 从本质上讲,您在导入JavaScript时通过页面<script>标记注入代码。 Anything imported through this tag is executed immediately in the global context. 通过此标记导入的任何内容都会立即在全局上下文中执行。 So instead of passing in a JavaScript file, pass in a URL to a website that returns a page not of HTML tags but instead a page that returns JavaScript code text that calls a callback in your code. 因此,不是传入JavaScript文件,而是将URL传递给返回不是HTML标记的页面的网站,而是返回一个返回代码中调用回调的JavaScript代码文本的页面。
You use URL parameters to tell the page what 'callback' to return and any parameters that need to go into the callback. 您可以使用URL参数告诉页面返回的“回调”以及需要进入回调的任何参数。 For instance: 例如:
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m1=myParam"></script>
When this is evaluated, the page content returned by the 'src' parameter is: 评估此内容时,'src'参数返回的页面内容为:
myCallback( myParam );
On the server side, you will create a site at that URL that overrides the OnLoad equivalent (with whatever server-side language you are using). 在服务器端,您将在该URL上创建一个站点,该站点将覆盖OnLoad等效项(使用您使用的任何服务器端语言)。 Instead of page HTML, the OnLoad will take the URL parameters and re-swizzle them to match the callback call above. 而不是页面HTML,OnLoad将获取URL参数并重新调整它们以匹配上面的回调调用。
When the substitution is made, the callback is immediately called when the client loads the page. 进行替换时,在客户端加载页面时立即调用回调。 The benefit of this is that the 'src' URL doesn't have to match the domain of the hosted page. 这样做的好处是'src'URL不必与托管页面的域匹配。
Here is what the client HTML page will look like at the end: 以下是客户端HTML页面最后的样子:
<script type="text/javascript">
var myCallback = function( myParam ) {
alert( "this was called across domains!" );
};
</script>
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m=myParam></script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.