堆栈内存溢出
  简体   繁体   English

为什么即使两个URL都来自XXXX.com,我仍然会收到405错误?

[英]Why do I still receive 405 errors even though both URLs are from XXXX.com?

 原文  2012-08-11 22:13:57       javascript/ jquery/ xss

问题描述

I have a site where I'm developing my REST endpoints on: 我有一个网站,我正在开发我的REST端点:

https://prefixone.somesite.com https://prefixone.somesite.com

And I have another site where I'm developing my UI Framework: 我有另一个网站,我正在开发我的UI框架:

https://prefixtwo.somesite.com https://prefixtwo.somesite.com

I can successfully login and get a 200 response in IE. 我可以成功登录并在IE中获得200响应。 In FF and Chrome, I get a "405 METHOD NOT ALLOWED". 在FF和Chrome中,我得到了“405方法不允许”。 Chrome sheds more light on the situation by saying "XMLHTTPRequest cannot load XXXXXXXXXXX. Origin xxxxxxxxxxx is not allowed by Access-Control-Allow-Origin. Chrome通过说“XMLHTTPRequest无法加载XXXXXXXXXXX”来更清楚地了解情况.Access-Control-Allow-Origin不允许使用Origin xxxxxxxxxxx。

Both of the sites are on somesite.com 这两个网站都在somesite.com上

Does this situation still qualify as XSS? 这种情况是否仍然符合XSS的条件?

3 个解决方案

解决方案1
 2 已采纳  2012-08-12 22:10:14

Your question is "why would I still receive a 405 even though both url's are form XXXX.com?", but in fact, your URLs are NOT from the same domain. 你的问题是“为什么我仍会收到405,即使两个网址都是XXXX.com形式?”,但实际上,你的网址并非来自同一个网域。

xxx.yyyy.com and zzz.yyyy.com are not the same domain. xxx.yyyy.comzzz.yyyy.com不是同一个域名。 They may share a significant part of their names, but they are not the same. 他们可能会分享他们名字的重要部分,但他们并不相同。

This is because it is perfectly possible for the owner of subdomains within a domain to be operated by entirely independent people. 这是因为域内子域的所有者完全可以由完全独立的人操作。 Consider uk.com . 考虑一下uk.com The owner of this domain sells the third-level domains within it as a competitor to the standard British country-level domain co.uk . 该域名的所有者将其中的第三级域名作为标准英国国家级域名co.uk的竞争对手进行销售。

The sites at xxx.uk.com and zzz.uk.com are completely different sites, and you would not expect the former to be able to load content from the latter without violating the same origin policy rules. xxx.uk.comzzz.uk.com上的网站是完全不同的网站,您不会指望前者能够在不违反相同原始策略规则的情况下从后者加载内容。

The browser has no knowledge of which domains would do this and which wouldn't, so it plays it safe and assumes that any two subdomains could be operated by different people. 浏览器不知道哪些域可以执行此操作,哪些不会执行此操作,因此它可以安全地运行并假设任何两个子域都可以由不同的人操作。

Even yyyy.com and www.yyyy.com are not considered the same thing. 即使是yyyy.comwww.yyyy.com也不算是同一回事。

I hope that answers your question. 我希望能回答你的问题。

As for what to do about it.... 至于怎么办......

1) Put everything on the same subdomain. 1)将所有内容放在同一个子域中。 The most common reason for splitting a site across multiple subdomains is for performance, but unless you're operating Google or Facebook, it's unlikely to be critical to your performance, and there a probably other things you could do first that would be more helpful. 在多个子域之间拆分网站的最常见原因是为了提高性能,但除非您正在运营Google或Facebook,否则它对您的性能不太可能是至关重要的,并且您可能首先要做的其他事情会更有帮助。 Also, the new SPDY protocol (soon to evolve into HTTP v2) will render the technique obsolete. 此外,新的SPDY协议(即将发展为HTTP v2)将使该技术过时。

2) If you must split it across multiple subdomains, you might want to look into using a crossdomain.xml file , which you can place on each server, to give them explicit permissions to access each other's content. 2)如果必须将其拆分为多个子域,则可能需要考虑使用可以放置在每个服务器上的crossdomain.xml文件 ,以便为其提供访问彼此内容的显式权限。

解决方案2
 0  2012-08-11 23:44:43

Basically in your code you need to run the following in JavaScript: 基本上在您的代码中,您需要在JavaScript中运行以下代码: 

document.domain = "somesite.com";

This will tell the browser that the part that should matter, for the purposes of the Same Origin Policy, is somesite.com not the prefixed part. 这将告诉浏览器,出于somesite.com策略的目的,应该重要的部分是somesite.com而不是前缀部分。

Look up "document domain" on Google for more. 在Google上查找“文档域”以获取更多信息。

解决方案3
 0  2012-08-12 21:36:50

the same origin policy restricts this. 相同的原产地政策限制了这一点。 And as the name implies it works with origins, not domains. 顾名思义它适用于起源,而不是域。 An origin is a full domain name + protocol + port number. 原点是完整的域名+协议+端口号。 So even two pages running on the same host cannot communicate if they are on different ports or protocols. 因此,即使在同一主机上运行的两个页面在不同的端口或协议上也无法通信。

If you plan to support only newer browsers look at adding x-access-control headers. 如果您计划仅支持较新的浏览器,请查看添加x-access-control标头。 If you need to support older browsers look at something like easyXDM. 如果您需要支持旧浏览器,请查看easyXDM之类的内容。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么即使在 Postman 中返回,我也无法从 POST 请求中接收正文? - Why can't I receive the body from a POST request even though it is returned in Postman? 自定义网站xxxx.com使用的附件要求在桌面上安装IE消息 - Customizing The Site xxxx.com uses add-ons that requires IE on Desktop message 我收到了单选按钮的 output 值,即使其中一个被选中 - i receive the output value of radio buttons as both on even though one is checked 为什么即使我创建了 model,我仍然得到“没有这样的表”? - Why do I get `no such table` even though I created the model? 为什么我会收到“密码不正确”的响应,即使它是正确的? - Why do I get "incorrect password" response even though it is correct? 为什么这些JavaScript代码片段表现不同,即使它们都遇到错误? - Why do these snippets of JavaScript behave differently even though they both encounter an error? React - 即使我添加了onChange,为什么输入字段仍然只读(即不可编辑)? - React - Why is input field still readonly (i.e. not editable) even though I've added onChange? 为什么即使我使用的是 Set,我的表上的两列也会出现重复值? - Why am I seeing repeated values for both columns on my table even though I'm using a Set? 为什么我的表单即使返回false仍仍在提交? - Why is my form still submitting even though it returns false? 即使我有正确的标题,也不允许使用 CORS 405 方法(我认为) - CORS 405 Method Not Allowed even though I have the right headers (I think)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM