同源是指相同的协议、域名、端口,三者都相同才属于同域。不符合上述定义的请求,则称为跨域。
相信每个开发人员都曾遇到过跨域请求的情况,虽然情况不一样,但问题的本质都可以归为浏览器出于安全考虑下的同源策略的限制。
跨域的情形有很多,最常见的有Ajax跨域、Socket跨域和Canvas跨域。下面列举一些我们常见的跨域情形下,某些浏览器控制台给出的错误提示:
FireFox下的提示:
已阻止交叉源请求:同源策略不允许读取***上的远程资源。可以将资源移动到相同的域名上或者启用 CORS 来解决这个问题。
Canvas跨域Chrome下的提示:
UncaughtSecurityError:Failed to execute'getImageData' on 'CanvasRenderingContext2D':The canvas has been taintedby cross-origin data.
或:
Imagefrom origin 'http://js.xx.com' has been blocked from loading by Cross-OriginResource Sharing policy: No 'Access-Control-Allow-Origin' header is present onthe requested resource. Origin 'http://act.xx.com' is therefore not allowedaccess.
1)document.domain+iframe的设置
2)动态创建script
3)利用iframe和location.hash
4)window.name实现的跨域数据传输
5)使用HTML5 postMessage
6)利用flash
7)通过代理,js访问代理,代理转到不同的域
http://developer.yahoo.com/javascript/howto-proxy.html
8)jQuery JSONP(不能成为真正的Ajax,本质上仍是动态创建script)
http://www.cnblogs.com/chopper/archive/2012/03/24/2403945.html
9)跨域资源共享(CORS) 这是HTML5跨域问题的标准解决方案
说明:方案1~方案6见Rain Man所写的文章《JavaScript跨域总结与解决办法》
http://www.cnblogs.com/rainman/archive/2011/02/20/1959325.html
1) 绕开跨域。
适用情形是:动静分离。
example1.com域名下的页面中跨域请求是以JavaScript内联方式实现的,而请求的目标静态资源是放在example2.com域名下,这时可以将执行跨域请求的JavaScript代码块独立出来,放到example2.com上,而example1.com页面通过外联方式引入该静态域名下的js文件。这样,js与请求的图片等资源都在example2.com下,即可正常访问到。这种方法其实是一种巧妙避开跨域的方法。
适用情形:动静不分离(两个域名均运行访问静态资源)。
example1.com请求example2.com下的资源图片,可以使用PHP抓取图片并在example2.com下生成一份,这样就可以间接访问到example1.com的静态资源。
html模板示例代码:
$("#scratchpad").wScratchPad({ //刮刮卡示例,当前域名http://act.xxx.com
width:283,
height:154,
//color: "#a9a9a7",
image2:"imgdata.PHP?url=http://js.xxx.com/static/activity/sq/guagua315/images/card_inner.jpg",
scratchMove:function() {
}
});
或:
xi=newXMLHttpRequest();
xi.open("GET","imgdata.PHP?url="+yourImageURL,true);
xi.send();
xi.onreadystatechange=function() {
if(xi.readyState==4 && xi.status==200) {
img=newImage;
img.onload=function(){
ctx.drawImage(img, 0,0,canvas.width,canvas.height);
}
img.src=xi.responseText;
}
$url=$_GET['url'];
$img =file_get_contents($url);
$imgname = substr(strrchr($url,"/"),1);
file_put_contents($fn,$img);
echo $imgname;
?>
3) 后台程序设置Access-Control-Allow-Origin
适用情形:Ajax获取跨域接口的JSON数据。
example1.com请求example2.com的数据接口,则需要在example2.com的数据接口添加跨域访问授权。
PHP程序中开始出添加header('HeaderName:HeaderValue'); 这样的header标记:
header('Access-Control-Allow-Origin:*');
4)修改服务器配置启用CORS
适用情形:跨域访问静态资源。
Access-Control-Allow-Origin是什么作用呢?用于授权资源的跨站访问。比如,静态资源图片都放在example2.com 域名下,如果在返回的头中没有设置 Access-Control-Allow-Origin,那么别的域是没有权限外链你的图片的。
要实现CORS跨域,服务端需要这个一个流程,图片引自html5rocks,附图如下
a.对于简单请求,如GET,只需要在HTTP Response后添加Access-Control-Allow-Origin。
b.对于非简单请求,比如POST、PUT、DELETE等,浏览器会分两次应答。第一次preflight(method: OPTIONS),主要验证来源是否合法,并返回允许的Header等。第二次才是真正的HTTP应答。所以服务器必须处理OPTIONS应答。
这里是一个Nginx启用CORS的参考配置示例http://enable-cors.org/server_nginx.html。代码:
- @H_502_212@@H_502_212@#
- @H_502_212@#ACORS(Cross-OriginResouceSharing)configforNginx
- @H_502_212@#
- @H_502_212@#==Purpose
- @H_502_212@#
- @H_502_212@#ThisNginxconfigurationenablesCORSrequestsinthefollowingway:
- @H_502_212@#-enablesCORSjustfororiginsonawhitelistspecifiedbyaregularexpression
- @H_502_212@#-CORSpreflightrequest(OPTIONS)arerespondedimmediately
- @H_502_212@#-Access-Control-Allow-Credentials=trueforGETandPOSTrequests
- @H_502_212@#-Access-Control-Max-Age=20days,tominimizerepetitiveOPTIONSrequests
- @H_502_212@#-varIoUssuperluoussettingstoaccommodatenonconformantbrowsers
- @H_502_212@#
- @H_502_212@#==CommentonechoingAccess-Control-Allow-Origin
- @H_502_212@#
- @H_502_212@#HowdoyouallowCORSrequestsonlyfromcertaindomains?Thelast
- @H_502_212@#publishedW3Ccandidaterecommendationstatesthatthe
- @H_502_212@#Access-Control-Allow-Originheadercanincludealistoforigins.
- @H_502_212@#(See:http://www.w3.org/TR/2013/CR-cors-20130129/#access-control-allow-origin-response-header)
- @H_502_212@#However,browsersdonotsupportthiswellanditlikelywillbe
- @H_502_212@#droppedfromthespec(see,http://www.rfc-editor.org/errata_search.PHP?rfc=6454&eid=3249).
- @H_502_212@#
- @H_502_212@#Theusualworkaroundisfortheservertokeepawhitelistof
- @H_502_212@#acceptableorigins(asaregularexpression),matchtherequest's
- @H_502_212@#Originheaderagainstthelist,andechobackthematchedvalue.
- @H_502_212@#
- @H_502_212@#(Yesyoucanuse'*'toacceptalloriginsbutthisistooopenand
- @H_502_212@#preventsusing'Access-Control-Allow-Credentials:true',whichis
- @H_502_212@#neededforHTTPBasicAccessauthentication.)
- @H_502_212@#
- @H_502_212@#==Commentonspec
- @H_502_212@#
- @H_502_212@#CommentsbelowareallbasedonmyreadingoftheCORSSpecasof
- @H_502_212@#2013-Jan-29(http://www.w3.org/TR/2013/CR-cors-20130129/),the
- @H_502_212@#XMLHttpRequestspec(
- @H_502_212@#http://www.w3.org/TR/2012/WD-XMLHttpRequest-20121206/),and
- @H_502_212@#experimentationwithlatestversionsofFirefox,Chrome,Safariat
- @H_502_212@#thatpointintime.
- @H_502_212@#
- @H_502_212@#==Changelog
- @H_502_212@#
- @H_502_212@#sharedat:https://gist.github.com/algal/5480916
- @H_502_212@#basedon:https://gist.github.com/alexjs/4165271
- @H_502_212@#
- @H_502_212@
- @H_502_212@location/{
- @H_502_212@
- @H_502_212@#iftherequestincludedanOrigin:headerwithanoriginonthewhitelist,
- @H_502_212@#thenitissomekindofCORSrequest.
- @H_502_212@
- @H_502_212@#specifically,thisexampleallowCORSrequestsfrom
- @H_502_212@#scheme:httporhttps
- @H_502_212@#authority:anyauthorityendingin".mckinsey.com"
- @H_502_212@#port:nothing,or:
- @H_502_212@if($http_origin~*(https?://[^/]*\.mckinsey\.com(:[0-9]+)?)$){
- @H_502_212@set$cors"true";
- @H_502_212@}
- @H_502_212@
- @H_502_212@#Nginxdoesn'tsupportnestedIfstatements,soweusestring
- @H_502_212@#concatenationtocreateaflagforcompoundconditions
- @H_502_212@
- @H_502_212@#OPTIONSindicatesaCORSpre-flightrequest
- @H_502_212@if($request_method='OPTIONS'){
- @H_502_212@set$cors"${cors}options";
- @H_502_212@}
- @H_502_212@
- @H_502_212@#non-OPTIONSindicatesanormalCORSrequest
- @H_502_212@if($request_method='GET'){
- @H_502_212@set$cors"${cors}get";
- @H_502_212@}
- @H_502_212@if($request_method='POST'){
- @H_502_212@set$cors"${cors}post";
- @H_502_212@}
- @H_502_212@
- @H_502_212@#ifit'saGETorPOST,setthestandardCORSresponsesheader
- @H_502_212@if($cors="trueget"){
- @H_502_212@#Tellsthebrowserthisoriginmaymakecross-originrequests
- @H_502_212@#(Here,weechotherequestingorigin,whichmatchedthewhitelist.)
- @H_502_212@add_header'Access-Control-Allow-Origin'"$http_origin";
- @H_502_212@#Tellsthebrowseritmayshowtheresponse,whenXmlHttpRequest.withCredentials=true.
- @H_502_212@add_header'Access-Control-Allow-Credentials''true';
- @H_502_212@##TellthebrowserwhichresponseheaderstheJScansee,besidesthe"simpleresponseheaders"
- @H_502_212@#add_header'Access-Control-Expose-Headers''myresponseheader';
- @H_502_212@}
- @H_502_212@
- @H_502_212@if($cors="truepost"){
- @H_502_212@#Tellsthebrowserthisoriginmaymakecross-originrequests
- @H_502_212@#(Here,besidesthe"simpleresponseheaders"
- @H_502_212@#add_header'Access-Control-Expose-Headers''myresponseheader';
- @H_502_212@}
- @H_502_212@
- @H_502_212@#ifit'sOPTIONS,thenit'saCORSpreflightrequestsorespondimmediatelywithnoresponsebody
- @H_502_212@if($cors="trueoptions"){
- @H_502_212@#Tellsthebrowserthisoriginmaymakecross-originrequests
- @H_502_212@#(Here,whichmatchedthewhitelist.)
- @H_502_212@add_header'Access-Control-Allow-Origin'"$http_origin";
- @H_502_212@#inapreflightresponse,tellsbrowserthesubsequentactualrequestcanincludeusercredentials(e.g.,cookies)
- @H_502_212@add_header'Access-Control-Allow-Credentials''true';
- @H_502_212@
- @H_502_212@#
- @H_502_212@#Returnspecialpreflightinfo
- @H_502_212@#
- @H_502_212@
- @H_502_212@#Tellbrowsertocachethispre-flightinfofor20days
- @H_502_212@add_header'Access-Control-Max-Age'1728000;
- @H_502_212@
- @H_502_212@#TellbrowserwerespondtoGET,POST,OPTIONSinnormalCORSrequests.
- @H_502_212@#
- @H_502_212@#Notofficiallyneededbutstillincludedtohelpnon-conformingbrowsers.
- @H_502_212@#
- @H_502_212@#OPTIONSshouldnotbeneededhere,sincethefieldisused
- @H_502_212@#toindicatemethodsallowedfor"actualrequest"notthe
- @H_502_212@#preflightrequest.
- @H_502_212@#
- @H_502_212@#GET,POSTalsoshouldnotbeneeded,sincethe"simple
- @H_502_212@#methods"GET,HEADareincludedbydefault.
- @H_502_212@#
- @H_502_212@#Weshouldonlyneedthisheaderfornon-simplerequests
- @H_502_212@#methods(e.g.,DELETE),orcustomrequestmethods(e.g.,XMODIFY)
- @H_502_212@add_header'Access-Control-Allow-Methods''GET,OPTIONS';
- @H_502_212@
- @H_502_212@#Tellbrowserweaccepttheseheadersintheactualrequest
- @H_502_212@#
- @H_502_212@#Adynamic,wide-openconfigwouldjustechobackalltheheaders
- @H_502_212@#listedinthepreflightrequest's
- @H_502_212@#Access-Control-Request-Headers.
- @H_502_212@#
- @H_502_212@#Adynamic,restrictiveconfig,wouldjustechobackthe
- @H_502_212@#subsetofAccess-Control-Request-Headersheaderswhichare
- @H_502_212@#allowedforthisresource.
- @H_502_212@#
- @H_502_212@#Thisstatic,fairlyopenconfigjustreturnsahardcodedsetof
- @H_502_212@#headersthatcoversmanycases,includingsomeheadersthat
- @H_502_212@#areofficiallyunnecessarybutactuallyneededtosupport
- @H_502_212@#non-conformingbrowsers
- @H_502_212@#
- @H_502_212@#Commentonsomeparticularheadersbelow:
- @H_502_212@#
- @H_502_212@#Authorization--practicallyandofficiallyneededtosupport
- @H_502_212@#requestsusingHTTPBasicAccessauthentication.BrowserJS
- @H_502_212@#canuseHTTPBAauthenticationwithanXmlHttpRequestobject
- @H_502_212@#reqbycalling
- @H_502_212@#
- @H_502_212@#req.withCredentials=true,and
- @H_502_212@#req.setRequestHeader('Authorization','Basic'+window.btoa(theusername+':'+thepassword))
- @H_502_212@#
- @H_502_212@#Counterintuitively,theusernameandpasswordfieldson
- @H_502_212@#XmlHttpRequest#opencannotbeusedtosettheauthorization
- @H_502_212@#fieldautomaticallyforCORSrequests.
- @H_502_212@#
- @H_502_212@#Content-Type--thisisa"simpleheader"onlywhenit's
- @H_502_212@#valueiseitherapplication/x-www-form-urlencoded,
- @H_502_212@#multipart/form-data,ortext/plain;andinthatcaseitdoes
- @H_502_212@#notofficiallyneedtobeincluded.But,ifyourbrowser
- @H_502_212@#codesetsthecontenttypeasapplication/json,forexample,
- @H_502_212@#thenthatmakestheheadernon-simple,andthenyourserver
- @H_502_212@#mustdeclarethatitallowstheContent-Typeheader.
- @H_502_212@#
- @H_502_212@#Accept,Accept-Language,Content-Language--thesearethe
- @H_502_212@#"simpleheaders"andtheyareofficiallynever
- @H_502_212@#required.Practically,possiblyrequired.
- @H_502_212@#
- @H_502_212@#Origin--logically,shouldnotneedtobeexplicitly
- @H_502_212@#required,sinceit'simplicitlyrequiredbyallof
- @H_502_212@#CORS.officially,itisunclearifitisrequiredor
- @H_502_212@#forbidden!practically,probablyrequiredbyexisting
- @H_502_212@#browsers(GeckodoesnotrequestitbutWebKitdoes,so
- @H_502_212@#WebKitmightchokeifit'snotreturnedback).
- @H_502_212@#
- @H_502_212@#User-Agent,DNT--officially,shouldnotberequired,as
- @H_502_212@#theycannotbesetas"authorrequestheaders".practically,
- @H_502_212@#mayberequired.
- @H_502_212@#
- @H_502_212@#MyComment:
- @H_502_212@#
- @H_502_212@#Thespecsarecontradictory,orelsejustconfusingtome,
- @H_502_212@#inhowtheydescribecertainheadersasrequiredbyCORSbut
- @H_502_212@#forbiddenbyXmlHttpRequest.TheCORSSpecsaysthebrowser
- @H_502_212@#issupposedtosetAccess-Control-Request-Headerstoinclude
- @H_502_212@#only"authorrequestheaders"(section7.1.5).Andthenthe
- @H_502_212@#serverissupposedtouseAccess-Control-Allow-Headersto
- @H_502_212@#echobackthesubsetofthosewhichisallowed,tellingthe
- @H_502_212@#browserthatitshouldnotcontinueandperformtheactual
- @H_502_212@#requestifitincludesadditionalheaders(section7.1.5,
- @H_502_212@#step8).Sothisimpliesthebrowserclientcodemusttake
- @H_502_212@#caretoincludeallnecessaryheadersasauthorrequest
- @H_502_212@#headers.
- @H_502_212@#
- @H_502_212@#However,thespecforXmlHttpRequest#setRequestHeader
- @H_502_212@#(section4.6.2)providesalonglistofheaderswhichthe
- @H_502_212@#thebrowserclientcodeisforbiddentoset,includingfor
- @H_502_212@#instanceOrigin,DNT(donottrack),User-Agent,etc..This
- @H_502_212@#isunderstandable:theseareallheadersthatwewantthe
- @H_502_212@#browseritselftocontrol,sothatmalicIoUsbrowserclient
- @H_502_212@#codecannotspoofthemandforinstancepretendtobefroma
- @H_502_212@#differentorigin,etc..
- @H_502_212@#
- @H_502_212@#ButifXmlHttpRequestforbidsthebrowserclientcodefrom
- @H_502_212@#settingthese(aspertheXmlHttpRequestspec),thenthey
- @H_502_212@#arenotauthorrequestheaders.Andiftheyarenotauthor
- @H_502_212@#requestheaders,thenthebrowsershouldnotincludethemin
- @H_502_212@#thepreflightrequest'sAccess-Control-Request-Headers.And
- @H_502_212@#iftheyarenotincludedinAccess-Control-Request-Headers,
- @H_502_212@#thentheyshouldnotbeechoedby
- @H_502_212@#Access-Control-Allow-Headers.Andiftheyarenotechoedby
- @H_502_212@#Access-Control-Allow-Headers,thenthebrowsershouldnot
- @H_502_212@#continueandexecuteactualrequest.Sothisseemstoimply
- @H_502_212@#thattheCORSandXmlHttpRequestspecsforbidcertain
- @H_502_212@#widely-usedfieldsinCORSrequests,includingtheOrigin
- @H_502_212@#field,whichtheyalsorequireforCORSrequests.
- @H_502_212@#
- @H_502_212@#Thebottomline:itseemsthereareheadersneededforthe
- @H_502_212@#webandCORStowork,whichatthemomentyoushould
- @H_502_212@#hard-codeintoAccess-Control-Allow-Headers,although
- @H_502_212@#officialspecsimplythisshouldnotbenecessary.
- @H_502_212@#
- @H_502_212@add_header'Access-Control-Allow-Headers''Authorization,Content-Type,Accept,Origin,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
- @H_502_212@
- @H_502_212@#buildentireresponsetothepreflightrequest
- @H_502_212@#nobodyinthisresponse
- @H_502_212@add_header'Content-Length'0;
- @H_502_212@#(shouldnotbenecessary,butincludedfornon-conformingbrowsers)
- @H_502_212@add_header'Content-Type''text/plaincharset=UTF-8';
- @H_502_212@#indicatesuccessfulreturnwithnocontent
- @H_502_212@return204;
- @H_502_212@}
- @H_502_212@#--PUTYOURREGULARNginxCODEHERE--
- @H_502_212@}
- @H_502_212@
服务器解析流程如下:
a.首先查看http头部有无origin字段;
b.如果没有,或者不允许,直接当成普通请求处理,结束;
c.如果有并且是允许的,那么再看是否是preflight(method=OPTIONS);
d.如果是preflight,就返回Allow-Headers、Allow-Methods等,内容为空;
e.如果不是preflight,就返回Allow-Origin、Allow-Credentials等,并返回正常内容。
若服务器为Nginx,可以 在 Nginx 的 conf 文件中加入以下内容:
若服务器为Apache,则可以按照如下配置:
- @H_502_212@@H_502_212@<IfModulemod_setenvif.c>
- @H_502_212@<IfModulemod_headers.c>
- @H_502_212@<FilesMatch"\.(cur|gif|ico|jpe?g|png|svgz?|webp)$">
- @H_502_212@SetEnvIfOrigin":"IS_CORS
- @H_502_212@HeadersetAccess-Control-Allow-Origin"*"env=IS_CORS
- @H_502_212@</FilesMatch>
- @H_502_212@</IfModule>
- @H_502_212@</IfModule>
为安全起见,Access-Control-Allow-Origin也可设为特定域名的方式。
在HTML5中,有些HTML元素为CORS提供了支持,如img、video新增了crossOrigin属性,属性值可以为anonymous或use-credentials。比如,canvas绘图要用到跨域图片,在JavaScript中要设置img.crossOrigin="Anonymous";
- @H_502_212@var@H_502_212@img=new@H_502_212@Image,
- @H_502_212@canvas=document.createElement("canvas"@H_502_212@),
- @H_502_212@ctx=canvas.getContext("2d"@H_502_212@),
- @H_502_212@src="http://example.com/image"@H_502_212@;//insertimageurlhere
- @H_502_212@
- @H_502_212@img.crossOrigin="Anonymous"@H_502_212@;
- @H_502_212@
- @H_502_212@img.onload=function@H_502_212@(){
- @H_502_212@canvas.width=img.width;
- @H_502_212@canvas.height=img.height;
- @H_502_212@ctx.drawImage(img,0);
- @H_502_212@localStorage.setItem("savedImageData"@H_502_212@,canvas.toDataURL("image/png"@H_502_212@));
- @H_502_212@}
- @H_502_212@img.src=src;
- @H_502_212@//makesuretheloadeventfiresforcachedimagestoo@H_502_212@
- @H_502_212@if@H_502_212@(img.complete||img.complete===undefined){
- @H_502_212@img.src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw=="@H_502_212@;
- @H_502_212@img.src=src;
- @H_502_212@}
上述配置完成后,重启服务器,CORS启用。
然后我们再刷新页面,查询请求头的参数,可以发现多出一个:Access-Control-Allow-Origin:*
,到此证明服务器配置已经生效。同时我们的canvas绘图也可以正常使用了。
刷新页面返回请求响应结果后,HTTP Request Headers的内容:
Remote Address:222.132.18.xx:80
Request URL:http://js.xx.com/static/activity/sq/guagua315/images/card_inner.jpg
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:zh-CN,zh;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Host:js.xx.com
Origin:http://act.xx.com
Pragma:no-cache
RA-Sid:7CCAD53E-20140704-054839-03c57a-85faf2
RA-Ver:2.8.8
Referer:http://act.xx.com/sq/guagua315?uuid=46124642&fid=2&sign=xxx
User-Agent:Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/40.0.2214.115Safari/537.36
Response Headersview source
Accept-Ranges:bytes
Access-Control-Allow-Origin:*
Connection:close
Content-Length:4010
Content-Type:image/jpeg
Date:Thu,12 Mar 2015 02:29:43 GMT
ETag:"54f7d1b4-faa"
Last-Modified:Thu,05 Mar 2015 03:47:00 GMT
Powered-By-ChinaCache:MISS fromCNC-WF-3-3X6
Powered-By-ChinaCache:MISS fromCNC-WF-3-3X5
Server:Tengine
Switch:FSCS附图:
参考文章:
CORS enabled image https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
CORS on Nginx http://enable-cors.org/server_nginx.html
Nginx CORS实现JS跨域 http://www.jb51.cc/article/p-xhzdhafc-bbp.html
转载请注明出处,文章来自于freshlover的CSDN空间《Ajax跨域、Json跨域、Socket跨域和Canvas跨域等同源策略限制的解决方法》
