HTTP cross-Domain

First, the traditional

Ajax cross-domain access is an old problem, a lot of solutions, more commonly used is the Jsonp method, the Jsonp method is an unofficial method, and this method only supports get mode, not as secure as post. Even if you use the Jsonp method of jquery, type is set to post and is automatically changed to get.

Official Question Description:

"Script": evaluates the response as JavaScript and returns it as plain text. Disables caching by appending a query string parameter, "_=[timestamp]", to the URL unless the cache option is set to True . Note:this would turn POSTs into GETs a for remote-domain requests.

If you use post for cross-domain, you can use the Create a hidden iframe, like the Ajax upload image principle, but it will be more cumbersome.

Second, when cross-domain access, the browser will send a request

Without setting the span, the browser will return

XMLHttpRequest cannot load http://google.com/. No ' Access-control-allow-origin ' header is present on the requested resource. Origin ' Http://run.jsbin.io ' is therefore not allowed access.

The network does not have any records in the development tool. But the actual request will still be sent, only in the browser did the interception. Reference: Access-control-allow-origin and cross-domain

Third, access-control-allow-origin to achieve cross-domain access

With the increasing application of cross-domain requests, the Cross-origin Resource sharing is a standard solution for cross-domain requests. IE8, Firefox 3.5 and later versions, Chrome browser, Safari 4, etc. have implemented the Cross-origin Resource sharing specification, which enables cross-domain requests. All cors-related response headers are prefixed with "access-control-":

• Access-control-allow-origin (must) this must be included in all legitimate cross-domain requests response, whose value is either the value in the Origin header or "*" to allow requests from any domain.
• Access-control-allow-credentials (optional), the cookie is not included in the Cors request by default, and using this header will indicate that a cookie is included in the Cors request and that its valid value is true. If a cookie is not required, the correct way is not to set its value to false, but not to include the header at all.
• Access-control-expose-header (optional), XMLHttpRequest 2 object has a getResponseHeader () method that returns a specific response Header, But it can only get a simple response header, if you want to let the client access to some other header, you must set this access-control-expose-header, its value is comma-delimited, you want to burst to the client header.

When the server responds to the client, bring the Access-control-allow-origin header information.

• If you set access-control-allow-origin:*, scripts for all domain names are allowed to access the resource.
• access-control-allow-origin:http://www.phpddt.com.com, allowing specific domain names to be accessed.

Reference:

• Resolve cross-domain requests with access-control-allow-origin response headers
• Cross-origin resource sharing crosses Origin Resource sharing (CORS) (emphasis)
• Ajax settings Access-control-allow-origin for cross-domain access

Iv. ASP. Access-control-allow-origin Header Information 1.web.config

The addition of a unified Access-control-allow-origin return header in Web. config is the most primitive and straightforward. Both the old version of WebForm and MVC are available.

CORS on IIS7 for Microsoft IIS7, merge this to the Web. config file at the root of your application or site:

<?xml version= "1.0" encoding= "Utf-8"? >< configuration> <system.webServer > <httpprotocol> <customheaders> <add name = "Access-control-allow-origin" value=  "*"/> </customheaders> </httpprotocol> </ system.webserver> </configuration                 

2. Customize the attribute to add header information

A) Create a attribute

public class AllowCrossSiteJsonAttribute : ActionFilterAttribute{    public override void OnActionExecuting(ActionExecutingContext filterContext) { filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Origin", "*"); base.OnActionExecuting(filterContext); }}

b) Action applied to the Controller

[AllowCrossSiteJson]public ActionResult YourMethod(){    return Json("data");}

Reference: ASP. NET MVC Settings Access-control-allow-origin

3.microsoft.aspnet.cors

Using the Microsoft.AspNet.Cors package, this is a Microsoft packaged a class library, the principle is the same as before, if interested, can refer to the following article Configuration in detail:

• Enabling Cross-origin requests in ASP. NET Web API 2 (official website)
• Cross-domain request functionality in an ASP. NET 5 Application

HTTP cross-Domain