how to bypass Access

I'm doing a ajax call to my own server on a platform which they set prevent these ajax calls (but I need it to fetch the data from my server to display retrieved data from my server's database). My ajax script is working , it can send the data over to my server's php script to allow it to process. However it cannot get the processed data back as it is blocked by "Access-Control-Allow-Origin"

I have no access to that platform's source/core. so I can't remove the script that it disallowing me to do so. (P/SI used Google Chrome's Console and found out this error)

The Ajax code as shown below:

 $.ajax({
     type: "GET",
     url: "http://example.com/retrieve.php",
     data: "id=" + id + "&url=" + url,
     dataType: 'json',   
     cache: false,
     success: function(data)
      {
        var friend = data[1];              
        var blog = data[2];           
        $('#user').html("<b>Friends: </b>"+friend+"<b><br> Blogs: </b>"+blog);

      } 
  });

or is there a JSON equivalent code to the ajax script above ? I think JSON is allowed.

I hope someone could help me out.

---

put it on top of retrieve.php

 header('Access-Control-Allow-Origin: *');  

It is important to note that the header() must be called before any actual output is sent.

Wrong

<html>
<?php
header('Access-Control-Allow-Origin: *'); 
?>

Correct

<?php
header('Access-Control-Allow-Origin: *'); 
?>
<html>

---

Okay, but you all know that the * is a wildcard and allows cross site scripting from every domain?

Why not put in a list with your own, trusted domains (and protocols);

 header('Access-Control-Allow-Origin: http://mysite1.com', false);
 header('Access-Control-Allow-Origin: http://example.com', false);
 header('Access-Control-Allow-Origin: https://www.mysite2.com', false);
 header('Access-Control-Allow-Origin: http://www.mysite2.com', false);

Thats much safer. (The 2nd parameter "false" tells the header() function not to overwrite the old one)

Why is it safer?

Allowing access from other locations then your own trusted site allows for session highjacking. I'm going to go with a little example - image Facebook allows a wildcard origin - this means that you can make your own website somewhere, and make it fire AJAX calls (or open iframes) to facebook. This means you can grab the logged in info of the facebook of a visitor of your website. Even worse - you can script POST requests and post data on someone's facebook - just while they are browsing your website.

Be very cautious when using the ACAO headers!

---

Warning , Chrome (and other browsers) will complain that multiple ACAO headers are set if you follow some of the other answers.

The error will be something like XMLHttpRequest cannot load ____. The 'Access-Control-Allow-Origin' header contains multiple values '____, ____, ____', but only one is allowed. Origin '____' is therefore not allowed access. XMLHttpRequest cannot load ____. The 'Access-Control-Allow-Origin' header contains multiple values '____, ____, ____', but only one is allowed. Origin '____' is therefore not allowed access.

Try this:

$http_origin = $_SERVER['HTTP_ORIGIN'];

$allowed_domains = array(
  'http://domain1.com',
  'http://domain2.com',
);

if (in_array($http_origin, $allowed_domains))
{  
    header("Access-Control-Allow-Origin: $http_origin");
}

链接地址: http://www.djcxy.com/p/8006.html

上一篇: 我如何获得PHP错误显示？

下一篇: 如何绕过Access