为什么这个API给出的是"No Access-Control-Allow-Origin header",我可以通过地址栏或者http://www.hurl.it访问吗
Why if this API gives the "No Access-Control-Allow-Origin header", can I access it through the address bar or http://www.hurl.it
编辑:请参阅:https://softwareengineering.stackexchange.com/questions/216605/how-do-web-servers-enforce-the-same-origin-policy 了解为什么浏览器强制执行访问源限制但服务器(如 Hurl.It)不受限制的很好解释。
我正在尝试使用在此处 http://forismatic.com/en/api/. But I am getting the "No 'Access-Control-Allow-Origin' header" error. If that is the case, why can I access the API by entering the URL with its parameters directly into the address bar of my browser, or through http://www.hurl.it 找到的 API?如果有任何影响,我正在使用 codepen。
我的代码如下。非常感谢,我已经搜索了几个小时,但我已经走投无路了。
var quoteRequest = new XMLHttpRequest();
quoteRequest.open("GET", "http://www.api.forismatic.com/api/1.0/?method=getQuote&format=json&lang=en", true);
quoteRequest.send();
var quote = JSON.parse(quoteRequest.responseText);
If that is the case, why can I access the API by entering the URL with its parameters directly into the address bar of my browser, or through http://www.hurl.it ?
因为这就是 Same Origin Policy 的工作原理:它适用于 ajax 请求,而不是直接请求(在地址栏中输入)或服务器端请求(Hurl-It 的作用) .
SOP 的目的是防止页面 A 从浏览器中使用页面 A 中页面 B 的资源。这主要是为了保护 用户 ,因为当浏览器从页面 B 请求资源时,它可能会使用用户的会话或其他凭据,向页面 A 的代码泄露它应该有权访问的信息. apsillers has a great explanation of this 结束 programmers.stackexchange.com;这是摘录:
For example, suppose I accidentally load http://evil.com/, which sends a request for http://mail.google.com/. If the SOP were not in place, and I was signed into Gmail, the script at evil.com could see my inbox. If the site at evil.com wants to load mail.google.com without my cookies, it can just use a proxy server; the public contents of mail.google.com are not a secret (but the contents of mail.google.com when accessed with my cookies are a secret).
如果 API 不授予对您的来源(您的页面)的访问权限,并且不提供 JSONP 替代方案,您只能通过中间服务器(您自己的服务器)间接使用它服务器,或 Hurl-It 等)。
编辑:请参阅:https://softwareengineering.stackexchange.com/questions/216605/how-do-web-servers-enforce-the-same-origin-policy 了解为什么浏览器强制执行访问源限制但服务器(如 Hurl.It)不受限制的很好解释。
我正在尝试使用在此处 http://forismatic.com/en/api/. But I am getting the "No 'Access-Control-Allow-Origin' header" error. If that is the case, why can I access the API by entering the URL with its parameters directly into the address bar of my browser, or through http://www.hurl.it 找到的 API?如果有任何影响,我正在使用 codepen。
我的代码如下。非常感谢,我已经搜索了几个小时,但我已经走投无路了。
var quoteRequest = new XMLHttpRequest();
quoteRequest.open("GET", "http://www.api.forismatic.com/api/1.0/?method=getQuote&format=json&lang=en", true);
quoteRequest.send();
var quote = JSON.parse(quoteRequest.responseText);
If that is the case, why can I access the API by entering the URL with its parameters directly into the address bar of my browser, or through http://www.hurl.it ?
因为这就是 Same Origin Policy 的工作原理:它适用于 ajax 请求,而不是直接请求(在地址栏中输入)或服务器端请求(Hurl-It 的作用) .
SOP 的目的是防止页面 A 从浏览器中使用页面 A 中页面 B 的资源。这主要是为了保护 用户 ,因为当浏览器从页面 B 请求资源时,它可能会使用用户的会话或其他凭据,向页面 A 的代码泄露它应该有权访问的信息. apsillers has a great explanation of this 结束 programmers.stackexchange.com;这是摘录:
For example, suppose I accidentally load
http://evil.com/, which sends a request forhttp://mail.google.com/. If the SOP were not in place, and I was signed into Gmail, the script at evil.com could see my inbox. If the site at evil.com wants to load mail.google.com without my cookies, it can just use a proxy server; the public contents of mail.google.com are not a secret (but the contents of mail.google.com when accessed with my cookies are a secret).
如果 API 不授予对您的来源(您的页面)的访问权限,并且不提供 JSONP 替代方案,您只能通过中间服务器(您自己的服务器)间接使用它服务器,或 Hurl-It 等)。