问题描述
我有一个CORS麻烦。
我使用具有
访问控制允许来源:http://www.example.com
由于这一点,我不能访问我需要继续我的网站的信息。结果
但是,奇怪的是,我可以看到它,如果我把API网址到Firefox的地址栏。
这是我的头请求:
主持人:carto.strasmap.eu
用户代理:Mozilla的/ 5.0(X11; Ubuntu的,Linux的x86_64的; RV:39.0)的Gecko / 20100101火狐/ 39.0
接受:应用/ JSON,纯文本/
接受语言:FR,FR-FR; Q = 0.8,EN-US; Q = 0.5,连接; Q = 0.3
接受编码:gzip,紧缩
引用者:http://192.168.1.49:9000/
原产地:http://192.168.1.49:9000
连接:保持活动
和页眉答案
访问控制允许的方法:GET,POST,PUT,DELETE
访问控制允许来源:http://www.example.com/
访问控制,最大年龄:0
缓存控制:最大年龄= 31536000
连接:保持活动
内容编码:gzip
内容长度:781
内容类型:text / JavaScript的;字符集= UTF-8
日期:星期六,2015年7月25日1时23分50秒GMT
过期:孙老师,2016年7月24日1时23分五十秒GMT
保持活动:超时= 5,最大值= 100
服务器:Apache
有所不同:接受编码
的X已启动方式:PHP / 5.6.8
当然,我不能修改API。
我用AngularJS为我的网站。
有什么我可以做的就是隐藏这背后的数据?
感谢你的帮助结果
Lothigo
No, not with pure client code, but Yes if you can involve a custom server. See possible work-arounds discussed below.
Same origin security in a browser prevents an Ajax request to a page at origin Y when that request is made from a web page that is not also origin Y. This can only be changed by having the server that is serving the request enable CORS from the origin who's page you are making the request from or from all origins. The only way to change that is by changing the CORS support on the API server. There is nothing you can do purely on the client side to override the same origin protections. And, if there was a pure client thing that could override it, it would be quickly closed as a security hole.
Same origin protections do not apply to a URL typed into the URL bar since there is no "origin" that is different than the URL entered into the URL bar. That explains why you can access the API server by typing URLs directly into the URL bar. The same origin protections for Ajax calls made from a web page are additional security measures implemented by the browser that do not apply when entering a URL directly into the URL bar. But, there is no way to use this capability from Javascript to skirt the same origin protections because Javascript cannot freely reach across windows of different origins.
There are some possible work-arounds.
If the API server supports JSONP, then you could use that. But, since JSONP is specifically for cross origin requests, if the API server isn't allowing cross origin requests with a regular Ajax request, then they probably wouldn't be allowing them via JSONP.
You can implement your own server proxy. From your existing web page, you would make a request of your own server proxy. That proxy would either already be on the same origin as your web page or would support CORS from at least the origin on your web page so that the Ajax call to your own server proxy would be permitted. Your server proxy would then call the API server to get the results you want and return them via the Ajax call made to the server proxy. Since same origin protections are implemented and enforced only in the browser for Ajax calls made from the browser, the server proxy is not limited by them and it can freely access the API server.
这篇关于CORS&安培; example.com的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!