I'm making a RESTful web service call in my JavaScript page and get the following warning:
我在JavaScript页面中创建了一个基于rest的web服务调用,并得到以下警告:
"This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?"
“这一页正在访问不受其控制的信息。这带来了安全风险。你还想继续吗?”
Now I've read up on this and am aware of the cross-domain, same origin policy. However, I don't get such warnings when I consume other APIs like Google's Maps API. Clearly the domain is not the same as my local domain. What is the difference?
现在我已经了解了这一点,并且了解了跨域,同源策略。但是,当我使用像谷歌的地图API这样的API时,我不会得到这样的警告。显然,域与我的本地域不一样。的区别是什么?
My initial guess is that Google is 'imported' into the page using the <script> tag while my REST consumption is using XMLHttpRequest. IF that is the case, what is the difference between these two approaches that one would merit a warning and the other not?
我最初的猜测是,使用
2 个解决方案
#1
5
The following might explain things: http://markmail.org/message/5wrphjwmo365pajy
以下内容可以解释:http://markmail.org/message/5wrphjwmo365pajy。
Also, they employ some script hacks (e.g. inserting a script into the DOM to get requested data, instead of XHR).
此外,他们还使用一些脚本攻击(例如,将脚本插入到DOM中以获得请求的数据,而不是XHR)。
#2
0
I would like to summarize what the solution was to this problem. You can find a helpful URL here.
我想总结一下解决这个问题的方法。你可以在这里找到一个有用的URL。
Essentially, you inject code through the pages <script> tag when importing JavaScript. Anything imported through this tag is executed immediately in the global context. So instead of passing in a JavaScript file, pass in a URL to a website that returns a page not of HTML tags but instead a page that returns JavaScript code text that calls a callback in your code.
从本质上讲,您在导入JavaScript时通过页面
You use URL parameters to tell the page what 'callback' to return and any parameters that need to go into the callback. For instance:
您可以使用URL参数告诉页面什么“回调”返回,以及需要进入回调的任何参数。例如:
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m1=myParam"></script>
When this is evaluated, the page content returned by the 'src' parameter is:
当评估这个值时,“src”参数返回的页面内容为:
myCallback( myParam );
On the server side, you will create a site at that URL that overrides the OnLoad equivalent (with whatever server-side language you are using). Instead of page HTML, the OnLoad will take the URL parameters and re-swizzle them to match the callback call above.
在服务器端,您将在该URL上创建一个站点,该URL覆盖了OnLoad等效项(使用的任何服务器端语言)。OnLoad不再使用页面HTML,而是使用URL参数,并重新使用它们来匹配上面的回调调用。
When the substitution is made, the callback is immediately called when the client loads the page. The benefit of this is that the 'src' URL doesn't have to match the domain of the hosted page.
当进行替换时,当客户机加载页面时,会立即调用回调。这样做的好处是,“src”URL不需要与托管页面的域相匹配。
Here is what the client HTML page will look like at the end:
下面是客户端HTML页面最后的样子:
<script type="text/javascript">
var myCallback = function( myParam ) {
alert( "this was called across domains!" );
};
</script>
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m=myParam></script>
#1
5
The following might explain things: http://markmail.org/message/5wrphjwmo365pajy
以下内容可以解释:http://markmail.org/message/5wrphjwmo365pajy。
Also, they employ some script hacks (e.g. inserting a script into the DOM to get requested data, instead of XHR).
此外,他们还使用一些脚本攻击(例如,将脚本插入到DOM中以获得请求的数据,而不是XHR)。
#2
0
I would like to summarize what the solution was to this problem. You can find a helpful URL here.
我想总结一下解决这个问题的方法。你可以在这里找到一个有用的URL。
Essentially, you inject code through the pages <script> tag when importing JavaScript. Anything imported through this tag is executed immediately in the global context. So instead of passing in a JavaScript file, pass in a URL to a website that returns a page not of HTML tags but instead a page that returns JavaScript code text that calls a callback in your code.
从本质上讲,您在导入JavaScript时通过页面
You use URL parameters to tell the page what 'callback' to return and any parameters that need to go into the callback. For instance:
您可以使用URL参数告诉页面什么“回调”返回,以及需要进入回调的任何参数。例如:
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m1=myParam"></script>
When this is evaluated, the page content returned by the 'src' parameter is:
当评估这个值时,“src”参数返回的页面内容为:
myCallback( myParam );
On the server side, you will create a site at that URL that overrides the OnLoad equivalent (with whatever server-side language you are using). Instead of page HTML, the OnLoad will take the URL parameters and re-swizzle them to match the callback call above.
在服务器端,您将在该URL上创建一个站点,该URL覆盖了OnLoad等效项(使用的任何服务器端语言)。OnLoad不再使用页面HTML,而是使用URL参数,并重新使用它们来匹配上面的回调调用。
When the substitution is made, the callback is immediately called when the client loads the page. The benefit of this is that the 'src' URL doesn't have to match the domain of the hosted page.
当进行替换时,当客户机加载页面时,会立即调用回调。这样做的好处是,“src”URL不需要与托管页面的域相匹配。
Here is what the client HTML page will look like at the end:
下面是客户端HTML页面最后的样子:
<script type="text/javascript">
var myCallback = function( myParam ) {
alert( "this was called across domains!" );
};
</script>
<script type="text/javascript" src="http://crossdomainhost/CrossDomainConsumerSite/Default.aspx?callback=myCallback¶m=myParam></script>