如何规避第三方https网站的同源政策?
我有一个 http:// 网站,需要访问在 https:// 上公开的第三方JSON API code>网站。我已经阅读了规避同源政策的方法,但似乎那里描述的方法不适合我:
I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy, but it seems the methods described there aren't appropriate for me:
- document.domain方法 - 仅限适用于子域。
- 跨源资源共享方法 - 需要服务器合作。
- 窗口.postMessage方法 - 似乎需要打开一个弹出窗口?
- 反向代理方法 - 一种可能的解决方案,但似乎有点太难了安装。
- http://anyorigin.com - 似乎不支持SSL。
- The document.domain method - only works on subdomains.
- The Cross-Origin Resource Sharing method - requires server cooperation.
- The window.postMessage method - seems to require opening a popup window?
- The Reverse Proxy method - A possible solution, but seems a bit too hard to setup.
- http://anyorigin.com - seems to not support SSL.
这是吗?我必须实现解决方案4,这似乎相当复杂,或者我错过了什么?
Is this it? Must I implement solution 4, which seems rather complicated, or am I missing something?
抱歉,似乎anyorigin.com 支持支持https。
Sorry, it seems that anyorigin.com does support https.
我天真以为它没有的原因是因为有问题的API 返回JSON,我想我实际上只是得到一个纯文本响应(就像我在使用anyorigin.com的测试中一样)在google.com上)。当它只返回一个对象时,我发现有些东西被打破了。
The reason I naively thought it doesn't, is because the API in question returns JSON, and I thought I would actually just get a plain text response (as in my tests with using anyorigin.com on google.com). When it returned just an object, I figured something was broken.
看来对象只返回解析后的JSON ,所以我很高兴!
It appears the object simply returns the parsed JSON, so I'm good to go!
更新 - anyorigin.com在我发布这个网站几周后停止了对某些https网站的工作,所以我继续写了 whateverorigin.org ,这是anyorigin的开源替代品。
Update - anyorigin.com stopped working with some https sites a few weeks after I posted this, so I went ahead and wrote whateverorigin.org, an open source alternative to anyorigin.