爲什麼我的XMLHttpRequest不允許XSS？

Question

我正在寫一個簡單的應用程序來從bbc rss feed中刪除新聞報道http://feeds.bbci.co.uk/news/rss.xml。

它需要完全在客戶端上運行，而不是使用jQuery，所以JSONP不是一個可行的解決方案。我一直在使用本地主機上的IE進行測試，並且在檢測到跨站點請求時單擊彈出的「允許內容」按鈕。 Chrome和Firefox並不是那麼容易讓他們接受這一點，現在我想在這些瀏覽器上進行測試，看看我的應用是否適用於他們。

到目前爲止..... 我試圖改變我的JavaScript使用像這樣一個CORS請求......

function createCORSRequest(method, url) { 
 
    var xhr = new XMLHttpRequest(); 
 
    if ("withCredentials" in xhr) { 
 

 
    // Check if the XMLHttpRequest object has a "withCredentials" property. 
 
    // "withCredentials" only exists on XMLHTTPRequest2 objects. 
 
    xhr.open(method, url, true); 
 

 
    } else if (typeof XDomainRequest != "undefined") { 
 

 
    // Otherwise, check if XDomainRequest. 
 
    // XDomainRequest only exists in IE, and is IE's way of making CORS requests. 
 
    xhr = new XDomainRequest(); 
 
    xhr.open(method, url); 
 

 
    } else { 
 

 
    // Otherwise, CORS is not supported by the browser. 
 
    xhr = null; 
 

 
    } 
 
    return xhr; 
 
}

var xhr = createCORSRequest('GET', feedURL); 
 
\t xhr.withCredentials = true; 
 
\t if (!xhr) { 
 
\t throw new Error('CORS not supported'); 
 
\t } 
 
\t xhr.onload = function() { 
 
\t  if (xhr.status === 200) { 
 
\t  \t var xmlDoc; 
 
\t \t \t if (window.DOMParser){ 
 
\t \t \t \t parser = new DOMParser(); 
 
\t \t \t \t xmlDoc = parser.parseFromString(xhr.responseText,"text/xml"); 
 
\t \t \t } 
 
\t \t \t else{ // Internet Explorer 
 
\t \t \t \t xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); 
 
\t \t \t \t xmlDoc.async=false; 
 
\t \t \t \t xmlDoc.loadXML(xhr.responseText); 
 
\t \t \t } 
 

 
\t \t \t //do some stuff 
 
\t  } 
 
\t  else { 
 
\t   alert('Request failed. Returned status of ' + xhr.status); 
 
\t  } 
 
\t }; 
 
\t xhr.send();

我也上傳到我的Web服務器，並與IIS 6託管它。我添加了一個Web配置，與這些設置。

<configuration> 
 
    <system.web> 
 
    <compilation debug="true" targetFramework="4.5" /> 
 
    <httpRuntime targetFramework="4.5" /> 
 
    </system.web> 
 
    <system.webServer> 
 
    \t <httpProtocol> 
 
    <customHeaders> 
 
     <add name="Access-Control-Allow-Origin" value="*" /> 
 
    </customHeaders> 
 
    </httpProtocol> 
 
    <defaultDocument> 
 
     <files> 
 
     <add value="rss.html" /> 
 
     </files> 
 
    </defaultDocument> 
 
    </system.webServer> 
 
</configuration>

我發現有關在IIS中設置處理程序映射的文章。建議將OPTIONSVerbHandler設置爲ISAPI ...但是我沒有這個設置。

任何人都可以對此有所瞭解。我將不勝感激。

Answer 1

進一步的研究之後。似乎最簡單的解決方案是創建我自己的代理。

• 轉換的靜態站點到一個空白的ASP.Net Web應用程序
• 在項目中創建從服務器聯繫BBC飼料
• 呼叫通用的處理程序，從客戶端JS

處理器

這裏是我的System.Collections中使用任何有興趣

using System; 

處理器.Generic;使用System.IO的 ;使用System.Linq的 ;使用System.Net的 ; using System.Web;使用System.Xml的 ;

命名空間訂閱 { /// ///概要說明對RSS /// 公共類RSS：的IHttpHandler {

public void ProcessRequest(HttpContext context) 
    { 
     string locationsRequest = CreateRequest(); 
     context.Response.Write(locationsRequest); 
    } 

    public bool IsReusable 
    { 
     get 
     { 
      return false; 
     } 
    } 

    public static string CreateRequest() 
    { 
     return XmlHttpRequest("http://feeds.bbci.co.uk/news/rss.xml", ""); 
    } 

    public static string XmlHttpRequest(string urlString, string xmlContent) 
    { 
     string response = null; 
     HttpWebRequest httpWebRequest = null;//Declare an HTTP-specific implementation of the WebRequest class. 
     HttpWebResponse httpWebResponse = null;//Declare an HTTP-specific implementation of the WebResponse class 

     //Creates an HttpWebRequest for the specified URL. 
     httpWebRequest = (HttpWebRequest)WebRequest.Create(urlString); 

     try 
     { 
      byte[] bytes; 
      bytes = System.Text.Encoding.ASCII.GetBytes(xmlContent); 
      //Set HttpWebRequest properties 
      httpWebRequest.Method = "POST"; 
      httpWebRequest.ContentLength = bytes.Length; 
      httpWebRequest.ContentType = "text/xml; encoding='utf-8'"; 

      using (Stream requestStream = httpWebRequest.GetRequestStream()) 
      { 
       //Writes a sequence of bytes to the current stream 
       requestStream.Write(bytes, 0, bytes.Length); 
       requestStream.Close();//Close stream 
      } 

      //Sends the HttpWebRequest, and waits for a response. 
      httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse(); 

      if (httpWebResponse.StatusCode == HttpStatusCode.OK) 
      { 
       //Get response stream into StreamReader 
       using (Stream responseStream = httpWebResponse.GetResponseStream()) 
       { 
        using (StreamReader reader = new StreamReader(responseStream)) 
         response = reader.ReadToEnd(); 
       } 
      } 
      httpWebResponse.Close();//Close HttpWebResponse 
     } 
     catch (WebException we) 
     { //TODO: Add custom exception handling 
      throw new Exception(we.Message); 
     } 
     catch (Exception ex) { throw new Exception(ex.Message); } 
     finally 
     { 
      httpWebResponse.Close(); 
      //Release objects 
      httpWebResponse = null; 
      httpWebRequest = null; 
     } 
     return response; 
    } 
} 

}