开发者

Same origin issue (file upload)

开发者 https://www.devze.com 2023-02-28 23:26 出处:网络
The client is on domain foo.com and needs to upload (send POST XMLHttpRequest) to upload.foo.com. This is restricted because of the same origin policy.
相关专题:javascriptsame-origin-policyxmlhttprequest

The client is on domain foo.com and needs to upload (send POST XMLHttpRequest) to upload.foo.com.

This is restricted because of the same origin policy.

However, the work around that I managed to come up with is, to dynamically create iframe on foo.com opening upload.foo.com and append the JavaScript code which executes the POST request from upload.foo.com like this: iframe.onLoad [..]

(a=(b=doc)
.createElement('script'))
.src='http://foo.com/upload.php?'+Math.random(),
b.body.appendChild(a);
void(0);

Now, to me this seems redundant: if the later is possible, my logic tells me that the former should be possible as well. Is it?

-- update

I have just noticed that there is file on the sub domain containing this:

<?xml version="1.0" ?> 
<cross-domain-poli开发者_JAVA百科cy>
<allow-access-from domain="*" />
<allow-access-from domain="*.foo.com" secure="false" /> 
</cross-domain-policy>

Can I use it somehow to my advantage?

XMLHttpRequest is not sensitive to document.domain because the object requires mutual opt-in for security reasons, and XHR has no way of knowing what the target might want the document.domain value to be set to. In order for SiteA to interact with the DOM of a site on SiteB, both sites must share a common private domain suffix, and both must opt-in to the communication by setting document.domain to their common suffix.

Your cross-domain policy file doesn't actually make a lot of sense (as it opts-in everything, and then a subset of everything) but it's used for Flash, not XHR (which uses CORS).

I don't think it's possible to simplify this, but if it seems inelegant to you, there are simpler ways to use cross-origin JS.

Indeed, this is almost exactly what jQuery does if you try to send a request using jsonp. Wikipedia for JSONP
(Along with several other ways to bypass the same-origin restriction)

I don't know if this is what you're asking about, but in the name of maintainability, I would advise that you use the jQuery approach.

You need to set dataType: 'jsonp' and you're all set. You can optionally set the parameter "callback=?"(look at the docs).

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9