简体繁体 English

跨源资源共享和文件：//

[英]Cross-Origin resource sharing and file://

原文 2011-02-28 04:02:39 6 2 javascript/ ajax/ json/ html5/ jsonp

I am writing an HTML5 application that is gathering data from a few different sources using JSONP. 我正在编写一个HTML5应用程序，它使用JSONP从几个不同的来源收集数据。 Anything I'm doing with a GET works perfectly. 我正在使用GET做的任何事情都能很好地完成。 I'm now trying to POST data, and I've run into an interesting snag. 我现在正试图发布数据，我遇到了一个有趣的障碍。 I need to POST data from my application to another, where my application is running from a local machine. 我需要将数据从我的应用程序POST到另一个应用程序从本地计算机运行。 I am trying to write a cross-platform capable mobile application (think Pulse/Flipboard), so the code will always be running from a local source. 我正在尝试编写一个支持跨平台的移动应用程序（想想Pulse / Flipboard），因此代码将始终从本地源运行。 My thought process was as follows: 我的思考过程如下：

Use JSONP - JSONP does not allow for posting, it just doesn't work that way ( Post data to JsonP ) 使用JSONP - JSONP不允许发布，它只是不起作用（将数据发布到JsonP ）
Rely on CORS - Since the request is coming from a local source using file:// , the origin header is null. 依赖于CORS - 由于请求来自使用file://的本地源，因此origin头为空。 This causes the request to fail ( XmlHttpRequest error: Origin null is not allowed by Access-Control-Allow-Origin ) 这会导致请求失败（ XmlHttpRequest错误：Access-Control-Allow-Origin不允许使用Origin null ）
Use another server to bounce the request off of - this would be expensive 使用另一台服务器退出请求 - 这将是昂贵的

All of the browsers I'm targeting are webkit based (iPad, Playbook, Android), so I'm wondering if there are any creaks in the same origin policy code that I can sneak through? 我所针对的所有浏览器都是基于webkit的（iPad，Playbook，Android），所以我想知道在同一个原始政策代码中是否有任何吱吱声，我可以偷偷摸摸通过？ Maybe something using iframe or postMessage? 也许是使用iframe或postMessage的东西？

2 个解决方案

As it would turn out, the easiest way to do this is to post to the target url inside of an iframe. 事实证明，最简单的方法是将目标网址发布到iframe内部。 Same origin policy on most browsers allows you to perform an HTTP POST from one domain to another unrelated domain. 大多数浏览器上的同源策略允许您从一个域到另一个不相关的域执行HTTP POST。 I solved the problem by adding an iframe to my page, initially set to a local bootstrapping page. 我通过向我的页面添加iframe解决了这个问题，最初设置为本地引导页面。 Since that page was loaded from the same domain, I am able to control it via script. 由于该页面是从同一个域加载的，因此我可以通过脚本控制它。 I used that to post the form to my target site, and polled the results to determine if my call was successful. 我用它将表单发布到我的目标站点，并轮询结果以确定我的呼叫是否成功。 It's not elegant, but it works. 它不优雅，但它的工作原理。

This Javascript library can almost certainly help you: 这个Javascript库几乎可以肯定地帮助你：

http://easyxdm.net/ http://easyxdm.net/

easyXDM is a Javascript library that enables you as a developer to easily work around the limitation set in place by the Same Origin Policy, in turn making it easy to communicate and expose javascript API's across domain boundaries. easyXDM是一个Javascript库，使您作为开发人员可以轻松解决相同原始策略所设置的限制集，从而可以轻松地跨域边界进行通信和公开JavaScript API。

.. ..

At the core easyXDM provides a transport stack capable of passing string based messages between two windows, a consumer (the main document) and a provider (a document included using an iframe). 在核心，easyXDM提供了一个传输堆栈，能够在两个窗口，消费者（主文档）和提供者（使用iframe包含的文档）之间传递基于字符串的消息。 It does this by using one of several available techniques, always selecting the most efficient one for the current browser. 它通过使用几种可用技术之一来实现这一点，始终为当前浏览器选择最有效的技术。 For all implementations the transport stack offers bi-directionality, reliability, queueing and sender-verification. 对于所有实现，传输堆栈提供双向性，可靠性，排队和发送方验证。