cross-domain

问题 I know that cross-domain requests are disallowed for security reasons, but I was under the impression that only the top-level domain needed to match, that different sub-domains were okay. However, I am getting this error from Chrome 7: "Unsafe JavaScript attempt to access frame with URL http://foo.somedomain.com/dir/page.html from frame with URL http://bar.somedomain.com/otherdir/otherpage.html. Domains, protocols and ports must match" What exactly are the rules for these types of requests?

问题 I just learned about the Access-Control-Allow-Methods header, e.g. Access-Control-Allow-Methods: OPTIONS, HEAD, GET I have never used this header (just Access-Control-Allow-Origin ), but I have gotten CORS to work in the past. Is the default to allow all methods, or have I gotten lucky with undefined behavior? 回答1: Just to clarify, Access-Control-Request-Method is a request header that is set by the browser on CORS preflight requests, and it can only have one value. The Access-Control-Allow

问题 My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies. Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the

问题 I'm relatively new to Ajax and was just tasked with this cross-domain call. We have a text box on our web page that a user will use to preform a search of company names. By clicking a button next to the text box, the Ajax call will be requested. Unfortunately the web service is located in a separate domain, so this is naturally causing issues. Below is my best attempt at making this work. I should also note, the purpose of this call is to return the results in an XML format, which will be

问题 I am trying to set up simple Cross-Origin Resource Sharing using jQuery (1.7.1) powered ajax on the client and apache served python (django) server. According to all the instructions I have read my headers are set correctly, but I keep getting the following error: XMLHttpRequest cannot load http://myexternaldomain.com/get_data. Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin. The header being I am trying to (I am not sure it is even getting past the browser) send is

问题 When requesting (ht|x)ml with ajax you can only send requests to the same domain. But if you request JSON you can send it to any domain. Why? I'm told it's for security but why would a website do something malicious via ajax rather than just directly if that makes sense. 回答1: Check out this wikipedia article. The reason why JSON is 'safe' is because you have to pass it through a callback. The remote site will run return JSON and your javascript library will not just run it blindly but try to

问题 Please consider this javascript: $.ajax({ url:'http://ichart.finance.yahoo.com/table.csv?s=GS&a=00&b=1&c=2010&d=08&e=3&f=2012&g=d&ignore=.csv', type:'get', dataType:'jsonp', success:function(data){ alert(data); } }) The URL returns a .csv file, but I am specifying the jsonp data type because this is a cross-domain ajax request. Without that parameter I get the "origin is not allowed" error. Since I specify the jsonp data type, the ajax function throws an error because the .csv file is not

问题 My JavaScript application needs to determine the length of a resource before downloading it with Ajax. Ordinarily this is not a problem, you just make a HEAD request and extract the Content-Length . var xhr = $.ajax({type:"HEAD", url: "http://own-domain/file.html"}) xhr.getResponseHeader("Content-Length") // "2195" However, the resources are stored on a different server to the client. (A server I control). So I'm using CORS to make cross domain ajax requests, and have set up the server to

问题 XMLHttpRequest s require CORS to work cross-domain. Similarly for web fonts, WebGL textures, and a few other things. In general all new APIs seem to have this restriction. Why? It's so easy to circumvent: all it takes is a simple server-side proxy. In other words, server-side code isn't prohibited from doing cross-domain requests; why is client-side code? How does this give any security, to anyone? And it's so inconsistent: I can't XMLHttpRequest , but I can <script src> or <link rel> or <img

问题 I am developing an firefox extension using webExtensions that would help me ease my work with the scenario below. I have to click around 50-60 buttons on the site that update the task status. On click of this button, the web page is calling the webpage's updTask(id) JavaScript function that is then making a web-service call to update the task. I am not able to do this from my content script using the code below: manifest.json : "permissions": [ "activeTab", "cross-domain-content": ["http:/