å¨å±ä»¬çå·¥ä½ä¸ï¼è·¨åæ¯è¾å¸¸ç¨çæ¹å¼å°±æ¯JSONPï¼JSONPå°±æ¯éè¿scriptæ ç¾æ åæºéå¶çç¹ç¹ï¼å¨è·åå°éè¦çèµæºåèªå¨æ§è¡åè°æ¹æ³çæ¹å¼ï¼è¿éæ们è¦è¯¦ç»è¯´çä¸è¿ä¸ªä¸åï¼æ¯æµè§å¨åççCORSè·¨åï¼æ¯éè¿âæ£å½æ段âå¾å°æå¡å¨å§å§é¦è¯ï¼å¤§æ大æè·åè·¨åèµæºçæ¹å¼ï¼ç¸æ¯JSONPåªè½å®ç°GET请æ±ï¼CORS大æ³æ¯æææçç±»åï¼åæ¶CORSæ¯éè¿æ®éçXMLHttpRequestå起请æ±åè·å¾æ°æ®ï¼æ¯èµ·JSONPææ´å¥½çé误å¤çï¼æ¥ä¸æ¥æ们就æ¥è¯´ä¸è¿ä¸ªCORS大æ³ã
ç®ä»
CORSï¼Cross-Origin Resource Sharingï¼è·¨åèµæºå ±äº«ï¼ä¸»è¦ææ³å°±æ¯ä½¿ç¨èªå®ä¹çHTTP头é¨è®©æµè§å¨ä¸æå¡å¨è¿è¡æ²éï¼ä»èå³å®ååºæ¯æåè¿æ¯å¤±è´¥ï¼å®å 许äºæµè§å¨åè·¨æºæå¡å¨åé请æ±ï¼ä»èå æäºåæºçéå¶ã
ç®ç¥çæ¥è¯´ï¼åçå°±æ¯åæå¡å¨åé请æ±è·¨åèµæºçæ¶åï¼å¦ææ¯ç®å请æ±ï¼å¤æ请æ±ä¼ååºä¸ä¸ªé¢å¤çpreflightï¼åé¢è¯¦è¯´ï¼ï¼æµè§å¨ä¼èªå¨å¨å¤´ä¿¡æ¯ä¸å¢å ä¸ä¸ªOriginå段åè¯æå¡å¨ï¼æ¬æ¬¡è¯·æ±æ¥èªåªä¸ªæºï¼åè®® + åå + 端å£ï¼ï¼æå¡å¨å¦æåæï¼å°±ä¼å¨è¿åç头é¨ä¿¡æ¯ä¸å¢å ä¸ä¸ªAccess-Control-Allow-Originå段ï¼æOriginä¸çä¿¡æ¯åå°è¿ä¸ªå段çå¼ä¸ï¼åè¯æµè§å¨ï¼æçåºä½ 请æ±æå¦~
æ´ä¸ªCORSçéä¿¡è¿ç¨ï¼é½æ¯æµè§å¨èªå¨å®æçãæµè§å¨ä¸æ¦åç°AJAX请æ±è·¨åï¼å°±ä¼èªå¨æ·»å ä¸äºéå ç头é¨ä¿¡æ¯ï¼å¤æ请æ±åæ¯PUT,DELETEççæ åµè¿ä¼å¤ä¸æ¬¡éå ç请æ±ï¼å ·ä½å 容ä¸é¢ä¼è¯¦ç»è§£é
CORS æµè§å¨çæ¯ææ åµ
CORSéè¦æµè§å¨åæå¡å¨çåæ¶æ¯æï¼ç®åæµè§å¨çæ¯ææ åµå¦ä¸ï¼
æµè§å¨ç«¯å·²ç»è·å¾äºè¯å¥½çæ¯æï¼æ以å®ç°CORSçå ³é®å°±æ¯æå¡å¨ï¼åªè¦å®ç°äºCORSçæ¥å£ï¼å°±å¯ä»¥å®ç°è·¨åéä¿¡ã
IE对CORSçå®ç°
IE8ä¸å¼å ¥äºXDRï¼XDomainRequestï¼ï¼è¿ä¸ªå¯¹è±¡ä¸XHR类似ï¼ä¸åä¹å¤å¦ä¸ï¼
1. cookieä¸ä¼é请æ±åéï¼ä¹ä¸ä¼éååºè¿å
2. åªè½è®¾ç½®è¯·æ±å¤´é¨ä¿¡æ¯ä¸çContent-Typeå段
3. ä¸è½è®¿é®ååºå¤´é¨ä¿¡æ¯
4. åªæ¯æGETåPOST请æ±
XDR对象ç使ç¨æ¹æ³ç¨æ·XHR对象é常类似ï¼å¦ä¸ï¼
var xdr = new XDomainRequest();
xdr.onload = function() {
alert(xdr.responseText);
}
xdr.onerror = function() {
alert("error");
}
xdr.open("get", "http://www.xxx.com/yyy/");
xdr.send(null);
XHRçopenæ¹æ³ç¬¬ä¸ä¸ªåæ°æ¥åä¸ä¸ªæ¯å¦å¼æ¥åé请æ±çboolå¼ï¼XDRåä¸æ¥æ¶ç¬¬ä¸ä¸ªåæ°ï¼è¯·æ±é½æ¯å¼æ¥æ§è¡çï¼è¯·æ±è¿åååºåload并å°ååºæ°æ®ä¿åå¨responseTextå±æ§ä¸ãXDRæ æ³ç¡®å®ååºçç¶æç ï¼ååºææä¼è§¦åloadï¼å¤±è´¥å°±ä¼åºåerrorï¼ä½å´æ²¡æä»»ä½é误信æ¯å¯ç¨ï¼åªè½ç¥é请æ±æ¯å¦æå.
å ¶ä»æµè§å¨å¯¹CORSçå®ç°
Firefox3.5+ï¼Safari4+ï¼Chormeï¼IOSççSafariåAndroidå¹³å°ä¸çWebKité½éè¿XmlHttpRequestå®ç°äºå¯¹CORSçæ¯æãå¨å°è¯è¯·æ±è·¨åèµæºçæ¶åï¼èªå¨å°±ä¼è§¦åè¿ä¸ªè¡ä¸ºã
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if(xhr.readyState == ){
if(xhr.status >= && xhr.status < || xhr.status == ){
console.log(xhr.responseText)
}else {
console.log('err' + xhr.status);
}
}
};
xhr.open('get','http://www.xxx.com/zzz/',true);
xhr.send(null);
XHRç¸æ¯XDRï¼å¯ä»¥è®¿é®statusåstatusTextï¼åæ¶æ¯æåæ¥è¯·æ±ãè·¨åXHRä¹æä¸äºå®å ¨éå¶ï¼
- ä¸è½ä½¿ç¨setRequestHeader()设置èªå®ä¹å¤´é¨
- ä¸è½åéåæ¥æ¶cookie
- è°ç¨è·åææ头é¨ä¿¡æ¯çæ¹æ³getAllReponseHeaders(ï¼æ¹æ³ä¼è¿å空å符串
ç®å请æ±ä¸å¤æ请æ±
æµè§å¨å°CORS请æ±åæ两类ã
ç®å请æ±ï¼
Simple requests
A simple cross-site request is one that meets all the following conditions:
The only allowed methods are: GET HEAD POST
Apart from the headers set automatically by the user agent (e.g. Connection,User-Agent, etc.), the only headers which are allowed to be manually set are:
Accept
Accept-Language
Content-Language
Content-Type
The only allowed values for the Content-Type header are:
application/x-www-form-urlencoded multipart/form-data text/plain
大æå°±æ¯è¯´ï¼
1. 请æ±æ¹æ³æ¯ä»¥ä¸ä¸ç§æ¹æ³ä¹ä¸ï¼HEADï¼GETï¼POST
2. HTTPç头信æ¯ä¸è¶ åºä»¥ä¸å ç§å段ï¼
Accept
Accept-Language
Content-Language
Last-Event-ID
3. Content-Typeï¼åªéäºä¸ä¸ªå¼application/x-www-form-urlencodedãmultipart/form-dataãtext/plain
éç®å请æ±ï¼
éç®å请æ±æ¯é£ç§å¯¹æå¡å¨æç¹æ®è¦æ±ç请æ±ï¼é¤ä»¥ä¸æ¡ä»¶ä¹å¤çé½æ¯éç®å请æ±ï¼è¦æ±å¿ é¡»é¦å ä½¿ç¨ OPTIONSæ¹æ³åèµ·ä¸ä¸ªé¢æ£è¯·æ±å°æå¡å¨ï¼ä»¥è·ç¥æå¡å¨æ¯å¦å 许该å®é 请æ±ãâé¢æ£è¯·æ±âç使ç¨ï¼å¯ä»¥é¿å è·¨å请æ±å¯¹æå¡å¨çç¨æ·æ°æ®äº§çæªé¢æçå½±åï¼æ¡ä»¶å¦ä¸ï¼
- 使ç¨äºä¸é¢ä»»ä¸ HTTP æ¹æ³ï¼
- PUT
- DELETE
- CONNECT
- OPTIONS
- TRACE
- PATCH
- 人为设置äºå¯¹ CORS å®å
¨çé¦é¨å段éåä¹å¤çå
¶ä»é¦é¨å段ã该éå为ï¼
- Accept
- Accept-Language
- Content-Language
- Content-Type (but note the additional requirements below)
- DPR
- Downlink
- Save-Data
- Viewport-Width
- Width
- Content-Type çå¼ä¸å±äºä¸åä¹ä¸:
- application/x-www-form-urlencoded
- multipart/form-data
- text/plain
CORS对ä¸å请æ±çå¤ç
ç®å请æ±ï¼
对äºç®åçè·¨å请æ±ï¼æµè§å¨èªå¨çååºCORS请æ±ï¼å¨è¯·æ±å¤´ä¸ï¼å¢å ä¸ä¸ªOriginå段ï¼å¦ä¸è¯·æ±å¤´ï¼
GET /cors HTTP/1.1
Origin: http://m.zhuanzhuan.58.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0...
Originå段ç¨æ¥è¯´ææ¬æ¬¡è¯·æ±æ¥èªåªä¸ªæºï¼åè®® + åå + 端å£ï¼
æå¡å¨æ¥æ¶å°è¯·æ±åï¼å¦æOriginæå®çæºä¸å¨è®¸å¯èå´å ï¼æå¡å¨ä¼è¿åä¸ä¸ªæ£å¸¸çHTTPååºï¼æµè§å¨æ¥æ¶å°çååºæ²¡æ头信æ¯ä¸æ²¡æå å«Access-Control-Allow-Originå段ï¼é£ä¹æµè§å¨å°±ä¼æåºä¸ä¸ªé误ï¼è¢«XHRçonerrorå½æ°ææï¼è¿ç§æ åµæ æ³éè¿ç¶æç å¤æï¼ç¶æç å¯è½ä¼è¿å200ã
å¦æOriginæå®çååå¨è®¸å¯çèå´å çè¯ï¼æå¡å¨è¿åçååºï¼ä¼å¤åºæ¥å 个头信æ¯å段ï¼
Access-Control-Allow-Origin: http://m.zhuanzhuan.58.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: TextParam
Content-Type: text/html; charset=utf-
åä¸ä¸ªä»¥Access-Control-å¼å¤´çå段é½æ¯ä¸CORSç¸å ³çå段
- Access-Control-Allow-Origin 该å段æ¯å 许跨åååºå¤´ä¸å¿ ä¸å¯å°çä¸ä¸ªå段ï¼å¼ä¸è¬é½æ¯è¯·æ±ä¸Originçå¼ï¼è¡¨ç¤ºå 许å½åæºçè·¨å请æ±ï¼ä¹å¯ä»¥è®¾ç½®æ*ï¼è¡¨ç¤ºæ¥åä»»ææºç请æ±ã
- Access-Control-Allow-Credentials表示æ¯å¦å 许跨ååécookieï¼æ¹å±æ§ä¸é¢ä¼è¯¦è§£
- Access-Control-Expose-Headersï¼è¯¥å±æ§è¿åçå段表示ï¼ç¨æ·å¯æ¿å°ç头é¨ä¸é¤äºåºæ¬çç个å段ä¹å¤çå ¶ä»å段çå段å称ãå¨æµè§å¨åé请æ±æ¶ï¼å¯ä»¥éè¿ä½¿ç¨setRequestHeader()æ¹æ³è®¾ç½®èªå®ä¹å¤´é¨ä¿¡æ¯ï¼ä¹å¯ä»¥éè¿getReponseHeader()æ¹æ³è·åååºçååºå¤´é¨ä¿¡æ¯ï¼ä¸é¢æå°çgetAllReponseHeaders(ï¼æ¯è·åååºå¤´ææåºæ¬å段ï¼ï¼èæ£å¸¸æ åµä¸ï¼è·åååºå¤´é¨ä¿¡æ¯åªè½æ¿å°7个åºæ¬å段ï¼Cache-ControlãContent-LanguageãContent-TypeãExpiresãLast-ModifiedãPragmaï¼å¦ææ³æ¿å°å«çå段ï¼å°±éè¦å¨Access-Control-Expose-Headersä¸ä¼ å ¥ä¸ä¸ï¼åä¸é¢çè¿å头ï¼å°±å¯ä»¥éè¿getResponseHeader(âTextParamâ)è¿åTextParamå段çå¼ã
éç®åè¯·æ± Preflighted Requestï¼
CORSéè¿Preflighted Requestçéææå¡å¨éªè¯æºå¶æ¯æå¼å人å使ç¨èªå®ä¹ç头é¨ã对äºé£äºåºæ¬æ¹æ³ä»¥å¤ç请æ±æ¹æ³ï¼æµè§å¨å¿ é¡»é¦å ä½¿ç¨ OPTIONS æ¹æ³åèµ·ä¸ä¸ªé¢æ£è¯·æ±ï¼Rreflighted Requestï¼ï¼ä»èè·ç¥æå¡ç«¯æ¯å¦å 许该跨å请æ±ã
é¢æ£HTTP请æ±å¤´é¨å¦ä¸ï¼
OPTIONS /cors HTTP/1.1
Origin: http://m.zhuanzhuan.58.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: TextParam
Host: api.alice.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0...
- Originï¼ä¸ç®åç请æ±ç¸å
- Access-Control-Request-Methodï¼ å¿ é¡»å段ï¼è¡¨ç¤ºè¯·æ±èªèº«ä½¿ç¨çæ¹æ³
- Access-Control-Request-Headersï¼å¯éå段ï¼èªå®ä¹ç头é¨ä¿¡æ¯ï¼å¤ä¸ªå¤´é¨ä»¥éå·åéï¼ææµè§å¨CORS请æ±ä¼é¢å¤åéç头信æ¯å段ãä¸ä¾æ¯å¸¦æèªå®ä¹å¤´é¨TextParamã
请æ±åéä¹åï¼å¦ææå¡å¨å 许该æºå¯¹èµæºç请æ±ï¼ä¼ä½åºååºï¼
HTTP/ OK
Access-Control-Allow-Origin: http://m.zhuanzhuan.58.com
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: TextParam
Access-Control-Max-Age:
...
- Access-Control-Allow-Originï¼è¡¨ç¤ºè¯¥è¯·æ±æ¥æºå¯ä»¥è¯·æ±æ°æ®
- Access-Control-Allow-Methodsï¼ å¿ é¡»å段ï¼è¡¨ææå¡å¨å 许客æ·ç«¯ä½¿ç¨ POST, GET å OPTIONS æ¹æ³å起请æ±ã
- Access-Control-Allow-Headersï¼å¯éå段ï¼è¡¨ææå¡å¨å 许请æ±ä¸æºå¸¦å段 TextParam ä¸ Content-Typeï¼éå·åå²ã
- Access-Control-Max-Ageï¼å¯éå段ï¼ç¨æ¥æå®æ¬æ¬¡é¢æ£è¯·æ±çæææï¼åä½ä¸ºç§ï¼å¨æ¤æé´æµè§å¨æ é为åä¸è¯·æ±å次åéé¢æ£è¯·æ±ã请注æï¼æµè§å¨èªèº«ç»´æ¤äºä¸ä¸ªæ大æææ¶é´ï¼å¦æ该é¦é¨å段çå¼è¶ è¿äºæ大æææ¶é´ï¼å°ä¸ä¼çæã
æå¡å¨ä¸æ¦éè¿äºé¢æ£è¯·æ±ï¼ä»¥åæ¯æ¬¡æµè§å¨æ£å¸¸çCORS请æ±é½ä¼è·ç®å请æ±ä¸æ ·ã
å¦ææµè§å¨ä¸åæ该é¢æ£è¯·æ±ï¼ä¼è¿åä¸ä¸ªæ£å¸¸çHTTPååºï¼ä½æ¯æ²¡æä»»ä½çCORSç¸å ³å¤´ä¿¡æ¯å段ï¼è¿æ¶æµè§å¨æ¥æ¶å°ååºï¼ä¼è¢«XMLHttpRequest对象çonerror()åè°å½æ°æè·ï¼æ§å¶å°ä¼æåºå¦ä¸çæ¥éä¿¡æ¯ã
XMLHttpRequest cannot load http://i.zhuanzhuan.com.
Origin http://m.zhuanzhuan.com is not allowed by Access-Control-Allow-Origin.
æºå¸¦åæ®ç请æ±
é»è®¤æ åµä¸è·¨å请æ±ä¸æä¾åæ®ï¼Cookie,HTTP认è¯ä»¥åSSLè¯æçï¼ãéè¿å°xhrçwithCredentialså±æ§è®¾ç½®ä¸ºtrueï¼å¯ä»¥æå®æ个请æ±åéåæ®ãå¦ææå¡å¨æ¥å带åæ®ç请æ±ï¼ä¼ç¨ä¸é¢çHttp头é¨æ¥ååºã
å¦ææå¡å¨ååºä¸å å«è¿ä¸ªå¤´æè 为falseï¼é£ä¹æµè§å¨å°±ä¸ä¼æååºäº¤ç»javascriptï¼responseText为空å符串ï¼status为0ï¼è§¦åonerror()ã
æå¡å¨å¯ä»¥å¨é¢æ£Preflightååºå¤´ä¸è¿åè¿ä¸ªå段表示å 许æºåéæºå¸¦åæ®ç请æ±ã
æ¯æçæµè§å¨æFireFox3.5+,Safari4+åChromeãIE10å以ä¸é½ä¸æ¯æã
对äºé带身份åè¯ç请æ±ï¼æå¡å¨ä¸å¾è®¾ç½® Access-Control-Allow-Origin çå¼ä¸ºâ*âï¼å¼å¿ 须为Origin é¦é¨å段æææçååå³å 许é带åè¯çæºã
![跨域及jsonp[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)