1

I have been reading around this subject all morning, but I am still confused by the results.

From what I understand JQuery .ajax .get should not work cross browser using datatype="xml", however the following rs feed does work

var rssurl = 'http://gdata.youtube.com/feeds/base/videos/-/trees?orderby=published&alt=rss';

Yet when I try and call another feed it doesn't work. It gives a parseerror.

var rssurl = 'http://api.flickr.com/services/feeds/photos_public.gne?tags=trees&format=rss2'

Now this feed that doesn't work, does work, when I copy it locally and call it. Which is why I think it is a crossdomain issue.

Also, when viewing in Fiddler, I can see the feed is actualy downloaded. Which I find strange as why would this hapen if it is a crossdomain call, surely it would stop before the feed is pulled?

Below the code to pull the feed.

$.ajax({ type: "GET", url: rssurl, dataType: "xml", success: function(data, textStatus, jqXHR) { document.write("got the feed: "+ textStatus+"
"); var $xml = $(data); $xml.find("item").each(function() { var $this = $(this), document.write( $this.find("title").text() ); }); }, error: function(jqXHR, textStatus, errorThrown){ alert('failure'); console.log('status: ' + textStatus); if (textStatus == 'error') console.log(errorThrown); } );

So onto my questions:

  1. Why would I be able to make a cross-domain call to one feed and not another; shouldn't both be banned?
  2. If the 2nd feed did contain erros, why would it work locally?
  3. arghhhhhhhhhhhhhhh

cheers

4

2 回答 2

1

The CORS norm specifies that the browser asks the server the authorization to embed the content in a frame coming from another origin. All modern browsers respect this norm.

When you ask api.flickr.com, it doesn't give you the authorization.

But when you ask gdata.youtube.com, it answers this header : 

HTTP/1.1 200 OK
X-GData-User-Country: FR
Access-Control-Allow-Origin: http://fiddle.jshell.net
Content-Type: text/xml; charset=UTF-8
Expires: Fri, 01 Jun 2012 19:41:43 GMT
Date: Fri, 01 Jun 2012 19:41:43 GMT
Cache-Control: private, max-age=1800, no-transform
Vary: *
GData-Version: 1.0
Last-Modified: Fri, 01 Jun 2012 19:41:43 GMT
Content-Encoding: gzip
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

So you see that you're authorized to embed the content (here I ask from a fiddle hence the http://fiddle.jshell.net but servers may answer simply '*' meaning all origins without bothering personalizing this part of the header).

The conclusion is logical : you may include cross-domain parts if the service allows it.

And keep in mind that it's mainly a browser side lock, that protects you as a user (and your data) against injections.

于 2012-06-01T19:46:58.963 回答
0

To answer your questions:

  1. It's the server's policy that decides whether the cross-domain call is allowed or not. To look at this from another perspective, Flash and Silverlight developers are very familiar with cross-domain policies. To access a web service on another domain, the service needs to authorize cross-domain requests. The purpose is an attempt to limit cross-site scripting attacks.
  2. It means there's nothing wrong with the feed, it's just that when you load it remotely the browser is blocking your request per cross-domain policy.
  3. LOUD NOISES

You raise an interesting point that some browsers do actually load the file (as confirmed by Fiddler). IE by contrast does not load the file at all. I don't know the answer, but it would be interesting to hear an explanation of that point.

于 2012-06-02T05:17:54.620 回答