简体繁体 English

可以在Google App Engine上使用Ajax作为来自nonappspot.com域的https登录用户吗？

[英]Can one use Ajax on Google App Engine as a logged in user over https from a non-appspot.com domain?

原文 2009-08-06 17:54:44 1 4 javascript/ ajax/ google-app-engine/ https/ same-origin-policy

Suppose: 假设：

You have a website http://www.example.com that redirects to a project on Google App Engine (ie example.appspot.com); 您有一个网站http://www.example.com ，可以重定向到Google App Engine上的项目（例如example.appspot.com）;
you want communications to pass between the user over SSL (ie https://example.appspot.com ); 您希望通过SSL在用户之间传递通信（即https://example.appspot.com ）; and 和
You want the domain to be shown to the user to be *://www.example.com (ie not https://example.appspot.com ). 您希望向用户显示域为*：//www.example.com（即不是https://example.appspot.com ）。

Given that Google's Appspot HTTPS support only works for https://example.appspot.com (ie you cannot set up https://www.example.com with GAE), I'd like to have an Ajax solution, namely: 鉴于Google的Appspot HTTPS支持仅适用于https://example.appspot.com （即您无法使用GAE设置https://www.example.com ），我希望有一个Ajax解决方案，即：

http://www.example.com serves HTML and Javascript over http http://www.example.com通过http提供HTML和Javascript
Ajax requests go over SSL to https://example.appspot.com Ajax请求通过SSL转到https://example.appspot.com

My question/concern is: How does one ensure that the users logged into http://www.example.com (by way of Google's users API ) pass their authentication credentials over Ajax to https://example.appspot.com ? 我的问题是：如何确保登录http://www.example.com的用户（通过Google的用户API ）通过Ajax将身份验证凭据传递给https://example.appspot.com ？

This seems to be a violation of the same origin policy (which may or may not be a concern for the Google Users API), so how would one know what user is logged in to example.com for the Ajax requests to example.appspot.com? 这似乎违反了相同的原始政策（可能是也可能不是谷歌用户API的关注），因此如何知道用户登录到example.com以获取对example.appspot的Ajax请求。 COM？

Thoughts, comments and input is quite appreciated. 非常感谢思考，评论和意见。

Thank you. 谢谢。

Brian 布赖恩

4 个解决方案

当两个站点合作时，有很多方法可以解决同源问题，例如，请参阅此帖子，但只有反复试验才能揭示哪些技术可以满足您的特定要求（这可能取决于用户设置安全保护措施的严格程度）他们的浏览器，以及服务器端实现）。

You can try using JSONP to get around the around that. 您可以尝试使用JSONP绕过它。 However JSONP doesnt have very good error recovery like JSON does when doing XHR calls. 但是，JSONP在执行XHR调用时没有像JSON那样的非常好的错误恢复。

Wouldn't it be far simpler to use frames? 使用框架不是更简单吗？ Serve up a single full-size frameset from yourdomain.com containing content from https://yourapp.appspot.com/ . 从yourdomain.com提供包含https://yourapp.appspot.com/内容的单个全尺寸框架集。

Note, though, that either solution has the problem that users see an unsecured site, not a secured one. 但请注意，任一解决方案都存在用户看到不安全站点而非安全站点的问题。

example.appspot.com does not share any cookies with example.com - it will be impossible for you to identify the user without making them sign-in on example.appspot.com as well. example.appspot.com不与example.com共享任何cookie - 如果没有让他们在example.appspot.com上登录，你也无法识别用户。

you could, of course, completely ditch Google Authentication on example.appspot.com and implement your own scheme; 当然，你可以在example.appspot.com上彻底抛弃Google身份验证并实现自己的方案; you could append a signature and the username to the AJAX requests you create and verify that signature on your app-engine app. 您可以在您创建的AJAX请求中附加签名和用户名，并在您的应用引擎应用上验证该签名。 if the signature is valid, just accept the user that was passed in as the authenticated user and pretend he logged in. 如果签名有效，只需接受作为经过身份验证的用户传入的用户并假装他已登录。