JavaScript and CouchDB - How do I avoid cross-origin policy errors on GET/POST/PUT/DELETE requests_问答_开发者

JavaScript and CouchDB - How do I avoid cross-origin policy errors on GET/POST/PUT/DELETE requests

开发者 https://www.devze.com 2023-01-15 08:46 出处：网络

I am posting this question on Super User as well. In my opinion this question overlaps the two... I am creating a simple JavaScript wrapper for 开发者_运维百科CouchDB\'s REST-ful interface, but I am

I am posting this question on Super User as well. In my opinion this question overlaps the two...

I am creating a simple JavaScript wrapper for 开发者_运维百科CouchDB's REST-ful interface, but I am stuck on same-origin policy issues.

So far I've been developing my code to work locally - and only as a proof of concept - on Mozilla FireFox. My server is running on localhost, port 5984.

To disable cross-origin policy in Mozilla FireFox you can use the PrivilegeManager, but it only gets me half-way in the sense that I can't do PUT requests against my server...

/*
 * Including this in my JavaScript file only seems to disable cross-origin
 * policy checks for POST and GET requests in Mozilla FireFox.
 * PUT requests fail.
 */

netscape.security.PrivilegeManager.enablePrivilege(
    "UniversalBrowserRead UniversalBrowserWrite"
);

Is there any way that I can configure my server to hide it's location so I won't have to implement browser-specific work-arounds to avoid same-origin policy issues? If not: what browser work-arounds exist to disable same-origin policy completely?

Unfortunately, any browser workarounds to disable same-origin policies are likely to be treated as serious security bugs and fixed as soon as possible.

See if you can come up with a way to work within the same-origin policy without trying to bypass it.

Can you serve your example scripts on the target server? Could you build a reflection script that would load the target script on your server after a local script on the users computer uploaded whatever they modified?

There should be a good solution that doesn't involve bypassing the same-origin policy. Trying to hack your way around it is a good way to ensure that your code doesn't work properly in future browsers.

I strugled with that issue too, trying to run automated tests on a local html file connecting to a virtualized CouchDB server, here's my solution:

I created a small implementation (and open sourced it) of the simplest solution when you can't enable CORS on the server,

you need to upload a .js and an .html file to the target server, (you can use any security mechanism to restrict access to this file if you want). Or you can change some simple parameters on the html file to restrict by domain.

On your page you use the same script to create an invisible iframe where the hosted .html is loaded, and proxy certain methods (sort-of RPC) thru that iframe using window.postMessage(), by default jQuery ajax methods can be proxied without extra configuration.

All this with one line of js code :)

FrameProxy at GitHub

(fell free to use it and fork it!)