如何使用 JSONP 克服 XSS 问题?

2022-01-15 00:00:00 xmlhttprequest javascript xss jsonp

我在码头服务器上执行了一段 javascript,该服务器正在向另一台服务器(wamp 服务器)上的 scoket 发送 XMLHTTPRequest.请求被发送到套接字,但是 XHR 响应似乎被阻塞了.

I have a piece of javascript executing on a jetty server which is sending a XMLHTTPRequest to a scoket on another server(wamp server). The request gets sent to the socket, however the XHR response seems to be getting blocked.

我听说我可以使用 JSONP 来解决这个问题.但是,由于我对 javascript 都很陌生,而且我从未使用过 JSONP 技术,在此之前我非常感谢有关如何使用这种技术的任何帮助?

I have heard that I can use JSONP to overcome this problem. However as I am new to both javascript and I have never used JSONP technique before I would greatly appreciate any help in how to use this technique?

function sendPost(url, postdata, callback) {

xmlHttp=GetXmlHttpObject()

if (xmlHttp==null) {
    alert ("Browser does not support HTTP Request")
    return
} 

xmlHttp.onreadystatechange=callback
xmlHttp.open("POST",url,true)
xmlHttp.send(postdata);

}

function sendInitRQ(width, height) {

var post = "<?xml version="1.0" encoding="UTF-8"?><command     type="init"><width>" + width + "</width><height>" + height + "</height></command>";

sendPost("http://localhost:80/socket.php", post, initReturned);

}

我知道 php 套接字正在接收帖子,因为当我检查服务器日志时,我在 get 请求中得到 200.

I know that the php socket is recieving the post as when i check the server log i get a 200 on the get request.

我只想知道如何使用 JSONP 方法?我已经看到了这种方法的例子,但我仍然不确定如何去做.

I just want to know how can I use the JSONP approach? I have seen exampples of the approach but Iam stilll unsure of how to do it.

推荐答案

JSONP 技术使用完全不同的机制向服务器发出 HTTP 请求并根据响应进行操作.它需要客户端页面和服务器上的协作代码.服务器必须有一个 URL 来响应 HTTPGET"请求,其中包含一个包裹在函数调用中的 JSON 块.因此,您不能只对任何旧服务器进行 JSONP 事务;它必须是明确提供该功能的服务器.

The JSONP technique uses a completely different mechanism for issuing HTTP requests to a server and acting on the response. It requires cooperating code in the client page and on the server. The server must have a URL that responds to HTTP "GET" requests with a block of JSON wrapped in a function call. Thus, you can't just do JSONP transactions to any old server; it must be a server that explicitly provides the functionality.

这个想法是您的客户端代码动态创建一个