Ajax cross-origin question research notes

Author: fbysss
MSN: jameslastchina@hotmail.com
Blog: blog.csdn.net/fbysss
Disclaimer: This article is original from fbysss. for reprinting, please indicate the source
Keyword: Ajax cross-Origin

I. Test preparation

• Modify the C:/Windows/system32/Drivers/etc/hosts file and add 127.0.0.1 www.a.com www. B .com
• Create a crossdomain directory under tomcat/webapps, create an empty WEB-INF directory, create page_on_site_ B .jsp and index_on_site_a.jsp.

Page_on_site_ B .jspThe content is as follows:
VaR varonb = 'this is a VaR on Site B. '; <br/> alert ('Welcome to Site B .');

Ajax_on_site_a.jspThe content is as follows:

 <MCE: Script Type = "text/JavaScript"> <! -- <Br/> var XMLHTTP; <br/> If (window. activexobject) {<br/> XMLHTTP = new activexobject ("Microsoft. XMLHTTP "); <br/>}< br/> else if (window. XMLHttpRequest) {<br/> XMLHTTP = new XMLHttpRequest (); <br/>}< br/> XMLHTTP. onreadystatechange = callbackfunc; <br/> XMLHTTP. open ("Post", "http://www. B .com: 8888/crossdomain/page_on_site_ B .jsp", true); <br/> XMLHTTP. send (null); </P> <p> function callbackfunc () {<br/> If (XMLHTTP. readystate = 4 & XMLHTTP. status = 200) {<br/> alert ("accessible"); <br/>}< br/> // --> </MCE: SCRIPT>

 

 

2. Ajax does not allow cross-origin access.

Different browsers have different performance in different situations:

• In IE, if a remote resource is called by a local HTML file, no information is displayed.
• If you put the file on the website, enter http: // localhost: 8888/crossdomain/ajax_on_site_a.jsp. A dialog box is displayed, prompting "this page is accessing information beyond its control range. This may cause security risks. Continue ?", Click "yes" to run the command correctly.
• If you enter http://www.a.com: 8888/crossdomain/ajax_on_site_a.jsp, ie will prompt the error "no permission"
• In the Firefox browser, it cannot be executed normally at all, and an exception will be reported: uncaught exception: access to restricted URI denied (ns_error_dom_bad_uri)

We can't expect users to change anything for us. We can only write articles on the program.
3. The script tag can be cross-origin.

Compile script_on_site_a.jsp:
<MCE: script src = "http://www. B .com: 8888/crossdomain/page_on_site_ B .jsp" mce_src = "http://www. B .com: 8888/crossdomain/page_on_site_ B .jsp"> </MCE: SCRIPT> // used to introduce other site resources. JS or JSP does not matter. <Br/> <MCE: Script Type = "text/JavaScript"> <! -- <Br/> alert (varonb); // used to check whether remote resources are correctly loaded <br/> // --> </MCE: SCRIPT>

Input in the browser

Http://www.a.com: 8888/crossdomain/script_on_site_a.jsp
Everything works.

4. Others

1. In actual applications, if the URL contains parameters, You can dynamically create script elements and specify SRC.

2. Another method is to add a servlet to the www.a.com site and use the servlet to call urlconnection to obtain the resources of any site.

Source, and then return the result. The page in Site A only needs to call the local servlet to avoid cross-origin. However, this method will bring the local server

Additional overhead.
See: http://deepin.javaeye.com/blog/512028
3. The jsonp provided by the Ajax framework can solve cross-domain problems to a certain extent. To some extent, the server must support you.
Jsonp (JSON with padding)
The script tag is used to call a specific SRC address to execute a client JS function and generate relative data (JSON

And pass it to the JS function of the client in the form of parameters to execute this function, the premise is that the data output format on the server must be JSON

.
See article http://hpyer.cn/visit-remote-data-with-jsonp-in-javascript.html

4. IFRAME can be cross-origin, but there are some problems.

Solution see http://liuhaixiao.javaeye.com/blog/81959 (not tested)

5. If all resources can be controlled by yourself, you can use document. domain to solve the problem.

6. The latest progress: W3C cross-origin request standards have been introduced, see the Ajax (XMLHttpRequest) for cross-origin Request Method details http://www.chinaz.com/Program/XML/01111035112010.html

7. There is a JS library dedicated to solving cross-origin Ajax problems:

Http://www.ajax-cross-domain.com/

5. Thinking:
1. Why is cross-origin not allowed?
Why can't cross-origin requests be allowed for a long time? This is for security considerations. What are the risks of cross-origin requests? I can think of it, because AJAX can perform a series of operations without refreshing a new page. Once a website is maliciously injected, users will be affected without knowing it.

. However, the script tag can do the same. Why not disable it? Well, this question remains to be verified.
2. Why do we need to dynamically create scripts? Can I directly write <SCRIPT src = "XXX"> </SCRIPT>?
Instead, Ajax is often used to initiate an Ajax request after a page is loaded, the script tag is executed immediately after the page is loaded. To implement Ajax-like effects

When you click the button, dynamically create the script tag to obtain the remote resource. But there are limitations: Not real Ajax, you can only use the get method, the returned results must be output to make sense.
You can also refer to: http://hi.baidu.com/reydingruhui/blog/item/05f0b3e9e0b95236b90e2dc7.html

3. References
Http://www.chinaunix.net/jh/80/988681.html
After reading this article, you should know that the output in the background must be a javascript statement. JSON data is usually used to assign values to variables, such as VAR person = {ID: '1', name: 'ss'}; in this way, the variable value can be obtained in the following Js, this is similar to the principle of jsonp.
Http://www.jz123.cn/text/284020.html

Note:In any case, if the cross-origin resource you want to access is unknown (you do not know what results are returned), cross-origin is often unable to succeed. Because the returned content can only be read by pure JavaScript.