问题描述
我正在研究我的这个个人项目只是为了好玩,我想读取一个位于 http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094533240.xml 并解析 xml 并使用它来转换货币之间的值.
i am working on this personal project of mine just for fun where i want to read an xml file which is located at http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094533240.xml and parse the xml and use it to convert values between the currencies.
到目前为止,我已经想出了下面的代码,这是为了读取 xml 非常基本的代码,但是我收到了以下错误.
so far i have come up with the code below which is pretty basic in order to read the xml but i get the following error.
xmlhttprequest 无法加载 ****.没有访问控制允许来源"请求的资源上存在标头.起源'http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094534929.com' 因此不允许访问.
xmlhttprequest cannot load ****. no 'access-control-allow-origin' header is present on the requested resource. origin 'http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094534929.com' is therefore not allowed access.
$(document).ready( function() { $.ajax({ type: 'get', url: 'http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094533240.xml', datatype: 'xml', success: function(xml){ alert('aaa'); } }); } );
我没有发现我的代码有任何问题,所以我希望有人能指出我的代码有什么问题以及如何修复它.
i don't see anything wrong with my code so i am hoping someone could point out what i am doing wrong with my code and how i could fix it.
推荐答案
您将无法对 http://www.ecb.europa.eu/stats/eurofxref/eurofxref- 进行 ajax 调用由于 http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094534929.com 的文件中的 daily.xmlorigin_policy" rel="noreferrer">同源策略.
you won't be able to make an ajax call to http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094533240.xml from a file deployed at http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094534929.com due to the same-origin policy.
由于源(又名 origin)页面和 target url 位于不同的域(run.jsbin.com 和 www.ecb.europa.eu),您的代码实际上是在尝试制作 跨域(cors)请求,不是普通的get.
as the source (aka origin) page and the target url are at different domains (run.jsbin.com and www.ecb.europa.eu), your code is actually attempting to make a cross-domain (cors) request, not an ordinary get.
简而言之,同源策略表示浏览器应该只允许对 html 页面的同一域中的服务进行 ajax 调用.
in a few words, the same-origin policy says that browsers should only allow ajax calls to services at the same domain of the html page.
http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com/mypage.html 的页面只能直接请求 http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com 的服务,例如 http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com/api/myservice.如果服务托管在另一个域(例如 http://www.ok.com/api/myservice),浏览器将不会直接调用(如您所料).相反,它将尝试发出 cors 请求.
a page at http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com/mypage.html can only directly request services that are at http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com, like http://www.51sjk.com/upload/articles/1/0/335/335757_20221102094545006.com/api/myservice. if the service is hosted at another domain (say http://www.ok.com/api/myservice), the browser won't make the call directly (as you'd expect). instead, it will try to make a cors request.
简而言之,要跨不同域执行 (cors) 请求*,您的浏览器:
to put it shortly, to perform a (cors) request* across different domains, your browser:
- 将在原始请求中包含 origin 标头(以页面的域为值)并照常执行;然后
- 仅当服务器响应该请求包含 足够的标题(access-control-allow-origin 是 其中一个) 允许 cors 请求,浏览将完成调用(几乎**与 html 页面在同一个域中的方式完全相同).
- 如果没有出现预期的标头,浏览器就会放弃(就像它对您所做的那样).
- will include an origin header in the original request (with the page's domain as value) and perform it as usual; and then
- only if the server response to that request contains the adequate headers (access-control-allow-origin is one of them) allowing the cors request, the browse will complete the call (almost** exactly the way it would if the html page was at the same domain).
- if the expected headers don't come, the browser simply gives up (like it did to you).
* 上面描述了简单请求中的步骤,例如没有花哨的标头的常规get.如果请求不简单(如 post 以 application/json 作为内容类型),浏览器将等待它片刻,并在完成之前先发送对目标 url 的 options 请求.像上面一样,只有当对这个 options 请求的响应包含 cors 标头时,它才会继续.此 options 调用称为 preflight 请求.
** 我说几乎是因为常规调用和 cors 调用之间还有其他区别.一个重要的问题是,即使响应中存在某些标头,也不会如果它们未包含在 access-control-expose-headers 标头中,则由浏览器拾取.
* the above depicts the steps in a simple request, such as a regular get with no fancy headers. if the request is not simple (like a post with application/json as content type), the browser will hold it a moment, and, before fulfilling it, will first send an options request to the target url. like above, it only will continue if the response to this options request contains the cors headers. this options call is known as preflight request.
** i'm saying almost because there are other differences between regular calls and cors calls. an important one is that some headers, even if present in the response, will not be picked up by the browser if they aren't included in the access-control-expose-headers header.只是一个错字吗? 有时 javascript 代码在目标域中只是一个错字.你检查过吗?如果页面位于 www.example.com,它只会定期调用 www.example.com!其他 url,例如 api.example.com 甚至 example.com 或 www.example.com:8080 被视为 不同 域由浏览器!是的,如果端口不同,那就是不同的域!
was it just a typo? sometimes the javascript code has just a typo in the target domain. have you checked? if the page is at www.example.com it will only make regular calls to www.example.com! other urls, such as api.example.com or even example.com or www.example.com:8080 are considered different domains by the browser! yes, if the port is different, then it is a different domain!
添加标头.启用 cors 的最简单方法是添加必要的标头(如 access-control-allow-origin)到服务器的响应.(每种服务器/语言都有办法做到这一点 - 在此处查看一些百家乐凯发k8的解决方案.)
add the headers. the simplest way to enable cors is by adding the necessary headers (as access-control-allow-origin) to the server's responses. (each server/language has a way to do that - check some solutions here.)
不得已:如果您没有服务器端访问该服务的权限,您也可以镜像它(通过反向代理等工具),并包括那里所有必要的标题.
last resort: if you don't have server-side access to the service, you can also mirror it (through tools such as reverse proxies), and include all the necessary headers there.