0

I'm trying out a JSONP call. I have a NodeJs app in server 1, under domain domain1.com looking like this:

server.get('/api/testjsonp', function(req, res) {

  var clientId = req.param('clientId');

  res.header('Content-Type', 'application/json');
  res.header('Charset', 'utf-8') 
  res.send(req.query.callback + '({"something": "rather", "more": "fun",
          "sourceDomain": "' + req.headers.origin + '"' + ',"clientId":"' + clientId + 
          '"});');  

});

In another server (server 2) and under a different domain (domain2.com), I have created a test html page with a call like this:

    var data = { clientId : 1234567890 };

            $.ajax({
                    dataType: 'jsonp',
                    data: data,
                    jsonp: 'callback',
                    url: 'https://domain1.com/api/testjsonp?callback=1',                        
                    success: function(data) {
                        alert('success');
                    },
        error: function(err){
                        alert('ERROR');
                        console.log(err);
                    }
                });

I have 2 problems here:

1) Why is this working? Isn't it a cross-domain call and therefore I'd need to implement the ALLOW-ORIGIN headers stuff? I'm following this example:

http://css.dzone.com/articles/ajax-requests-other-domains

http://benbuckman.net/tech/12/04/cracking-cross-domainallow-origin-nut

2) In the server, I can't figure out which domain is making the call, req.headers.origin is always undefined. I'd like to be able to know which domain is calling, to prevent unwanted calls. Alternative I could check for the calling IP, any idea how?

Many thanks

4

1 回答 1

0

为什么这行得通?这不是一个跨域调用,因此我需要实现 ALLOW-ORIGIN 标头的东西吗?我

就浏览器而言,您不是直接从不同来源读取数据。您正在从另一个来源加载一个 JavaScript 程序(它恰好捆绑了一些数据)。

在服务器中,我不知道是哪个域进行了调用,req.headers.origin 始终未定义。我希望能够知道正在调用哪个域,以防止不必要的调用。

引用页面的 URL 存储在 Referer 标头中,而不是 Origin 标头中。但是,它是可选的,在许多情况下不会发送。

如果您想限制对某些站点的数据访问,则不能使用 JSON-P。请改用纯 JSON 和 CORS。

替代方案我可以检查呼叫IP,知道怎么做吗?

这将为您提供客户端的地址,而不是将客户端定向到您的服务器。

于 2012-11-25T18:32:11.073 回答