[英]Why do I still receive 405 errors even though both URLs are from XXXX.com?
I have a site where I'm developing my REST endpoints on: 我有一个网站,我正在开发我的REST端点:
https://prefixone.somesite.com https://prefixone.somesite.com
And I have another site where I'm developing my UI Framework: 我有另一个网站,我正在开发我的UI框架:
https://prefixtwo.somesite.com https://prefixtwo.somesite.com
I can successfully login and get a 200 response in IE. 我可以成功登录并在IE中获得200响应。 In FF and Chrome, I get a "405 METHOD NOT ALLOWED".
在FF和Chrome中,我得到了“405方法不允许”。 Chrome sheds more light on the situation by saying "XMLHTTPRequest cannot load XXXXXXXXXXX. Origin xxxxxxxxxxx is not allowed by Access-Control-Allow-Origin.
Chrome通过说“XMLHTTPRequest无法加载XXXXXXXXXXX”来更清楚地了解情况.Access-Control-Allow-Origin不允许使用Origin xxxxxxxxxxx。
Both of the sites are on somesite.com 这两个网站都在somesite.com上
Does this situation still qualify as XSS? 这种情况是否仍然符合XSS的条件?
Your question is "why would I still receive a 405 even though both url's are form XXXX.com?", but in fact, your URLs are NOT from the same domain. 你的问题是“为什么我仍会收到405,即使两个网址都是XXXX.com形式?”,但实际上,你的网址并非来自同一个网域。
xxx.yyyy.com
and zzz.yyyy.com
are not the same domain. xxx.yyyy.com
和zzz.yyyy.com
不是同一个域名。 They may share a significant part of their names, but they are not the same. 他们可能会分享他们名字的重要部分,但他们并不相同。
This is because it is perfectly possible for the owner of subdomains within a domain to be operated by entirely independent people. 这是因为域内子域的所有者完全可以由完全独立的人操作。 Consider
uk.com
. 考虑一下
uk.com
。 The owner of this domain sells the third-level domains within it as a competitor to the standard British country-level domain co.uk
. 该域名的所有者将其中的第三级域名作为标准英国国家级域名
co.uk
的竞争对手进行销售。
The sites at xxx.uk.com
and zzz.uk.com
are completely different sites, and you would not expect the former to be able to load content from the latter without violating the same origin policy rules. xxx.uk.com
和zzz.uk.com
上的网站是完全不同的网站,您不会指望前者能够在不违反相同原始策略规则的情况下从后者加载内容。
The browser has no knowledge of which domains would do this and which wouldn't, so it plays it safe and assumes that any two subdomains could be operated by different people. 浏览器不知道哪些域可以执行此操作,哪些不会执行此操作,因此它可以安全地运行并假设任何两个子域都可以由不同的人操作。
Even yyyy.com
and www.yyyy.com
are not considered the same thing. 即使是
yyyy.com
和www.yyyy.com
也不算是同一回事。
I hope that answers your question. 我希望能回答你的问题。
As for what to do about it.... 至于怎么办......
1) Put everything on the same subdomain. 1)将所有内容放在同一个子域中。 The most common reason for splitting a site across multiple subdomains is for performance, but unless you're operating Google or Facebook, it's unlikely to be critical to your performance, and there a probably other things you could do first that would be more helpful.
在多个子域之间拆分网站的最常见原因是为了提高性能,但除非您正在运营Google或Facebook,否则它对您的性能不太可能是至关重要的,并且您可能首先要做的其他事情会更有帮助。 Also, the new SPDY protocol (soon to evolve into HTTP v2) will render the technique obsolete.
此外,新的SPDY协议(即将发展为HTTP v2)将使该技术过时。
2) If you must split it across multiple subdomains, you might want to look into using a crossdomain.xml file , which you can place on each server, to give them explicit permissions to access each other's content. 2)如果必须将其拆分为多个子域,则可能需要考虑使用可以放置在每个服务器上的crossdomain.xml文件 ,以便为其提供访问彼此内容的显式权限。
Basically in your code you need to run the following in JavaScript: 基本上在您的代码中,您需要在JavaScript中运行以下代码:
document.domain = "somesite.com";
This will tell the browser that the part that should matter, for the purposes of the Same Origin Policy, is somesite.com
not the prefixed part. 这将告诉浏览器,出于
somesite.com
策略的目的,应该重要的部分是somesite.com
而不是前缀部分。
Look up "document domain" on Google for more. 在Google上查找“文档域”以获取更多信息。
the same origin policy restricts this. 相同的原产地政策限制了这一点。 And as the name implies it works with origins, not domains.
顾名思义它适用于起源,而不是域。 An origin is a full domain name + protocol + port number.
原点是完整的域名+协议+端口号。 So even two pages running on the same host cannot communicate if they are on different ports or protocols.
因此,即使在同一主机上运行的两个页面在不同的端口或协议上也无法通信。
If you plan to support only newer browsers look at adding x-access-control headers. 如果您计划仅支持较新的浏览器,请查看添加x-access-control标头。 If you need to support older browsers look at something like easyXDM.
如果您需要支持旧浏览器,请查看easyXDM之类的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.