AJAX Cross-Domain Same-Origin Policy limitation

最新推荐文章于 2025-12-28 17:42:14 发布

转载最新推荐文章于 2025-12-28 17:42:14 发布 · 474 阅读

文章标签：

#ajax #jsonp #callback #json #javascript #function

工作心得同时被 2 个专栏收录

42 篇文章

订阅专栏

1 篇文章

订阅专栏

本文介绍了几种绕过AJAX同源策略限制的方法，包括服务器端代理、iFrame及JSONP等技术，并提供了使用jQuery进行JSONP调用的具体示例。

摘自：http://www.ibm.com/developerworks/library/wa-aj-jsonp1/

AJAX Same-Origin Policy(SOP) limitation:

AJAX prevents cross-domail invokation, there are several ways to by pass this limitation.

1. write a proxy on the server side. The SOP limitation only exists only on the javascript side. While on the side, we can still invoke the other domail url such as via HttpClient

2. iFrame ( not sure )

3. JSONP(JSON with Padding)

the same-origin policy doesn't prevent the insertion of dynamic script elements into the document. That is, you could dynamically insert JavaScript from different domains, carrying JSON data in them.

<mce:script type="text/javascript"></mce:script>

Note that, in order to do this, you must have a callback function already defined in the Web page at the time of insertion.

Beginning with version 1.2, jQuery has had native support for JSONP calls. You can load JSON data located on another domain if you specify a JSONP callback, which can be done using the following syntax: url?callback=?.

AJAX invoke:

jQuery.getJSON("http://www.yourdomain.com/jsonp/ticker?symbol=IBM&callback=?", function(data) { alert("Symbol: " + data.symbol + ", Price: " + data.price); });

Another domain generates json data and returned to client side with callback function.

@Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String jsonData = getDataAsJson(req.getParameter("symbol")); String output = req.getParameter("callback") + "(" + jsonData + ");"; resp.setContentType("text/javascript"); PrintWriter out = resp.getWriter(); out.println(output); // prints: jsonp1232617941775({"symbol" : "IBM", "price" : "91.42"}); }