AJAX（XMLHttpRequest）進行跨域請求方法詳解（二）

注意：以下代碼請在Firefox 3.5、Chrome 3.0、Safari 4之後的版本中進行測試。IE8的實現方法與其他瀏覽不同。

 

2，預檢請求

預檢請求首先需要向另外一個域名的資源發送一個 HTTP OPTIONS 請求頭，其目的就是爲了判斷實際發送的請求是否是安全的。下面的2種情況需要進行預檢：
a，不是上面的簡單請求，比如使用Content-Type 爲 application/xml 或 text/xml 的 POST 請求
b，在請求中設置自定義頭，比如 X-JSON、X-MENGXIANHUI 等

 

注意：在 iis 裏進行測試，必須在“應用程序擴展”裏面配置 .aspx 擴展的動作允許 OPTIONS。

下面我們舉一個預檢的請求：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>孟憲會之AJAX跨域請求測試</title> </head> <body> <input type='button' value='開始測試' onclick='crossDomainRequest()' /> <div id="content"></div> <mce:script type="text/javascript"><!-- var xhr = new XMLHttpRequest(); var url = 'http://dotnet.aspx.cc/PreflightedRequests.aspx'; function crossDomainRequest() { document.getElementById("content").innerHTML = "開始進行請求……"; if (xhr) { var xml = "<root>測試</root>"; xhr.open('POST', url, true); xhr.setRequestHeader("POWERED-BY-MENGXIANHUI", "Approve"); xhr.setRequestHeader("Content-Type", "application/xml"); xhr.onreadystatechange = handler; xhr.send(xml); } else { document.getElementById("content").innerHTML = "不能創建 XMLHttpRequest。"; } } function handler(evtXHR) { if (xhr.readyState == 4) { if (xhr.status == 200) { var response = xhr.responseText; document.getElementById("content").innerHTML = "結果：" + response; } else { document.getElementById("content").innerHTML = "不能進行跨越訪問。"; } } else { document.getElementById("content").innerHTML += "<br/>執行狀態 readyState：" + xhr.readyState; } } // --></mce:script> </body> </html>

上面的例子我們發送 xml 格式的數據，並且，發送一個非標準的HTTP頭 POWERED-BY-MENGXIANHUI 來說明服務器端該如何設置響應頭的。

在服務器端，PreflightedRequests.aspx 的內容如下：
<%@ Page Language="C#" %> <mce:script runat="server"><!-- protected void Page_Load(object sender, EventArgs e) { if (Request.HttpMethod.Equals("GET")) { Response.Write("這個頁面是用來測試跨域 POST 請求的，直接瀏覽意義不大。"); } else if (Request.HttpMethod.Equals("OPTIONS")) { //通知客戶端允許預檢請求。並設置緩存時間 Response.ClearContent(); Response.AddHeader("Access-Control-Allow-Origin", "http://www.meng_xian_hui.com:801"); Response.AddHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS"); Response.AddHeader("Access-Control-Allow-Headers", "POWERED-BY-MENGXIANHUI"); Response.AddHeader("Access-Control-Max-Age", "30"); //此過程無需返回數據 Response.End(); } else if (Request.HttpMethod.Equals("POST")) { if (Request.Headers["Origin"].Equals("http://www.meng_xian_hui.com:801")) { System.Xml.XmlDocument doc = new System.Xml.XmlDocument(); doc.Load(Request.InputStream); Response.AddHeader("Access-Control-Allow-Origin", "http://www.meng_xian_hui.com:801"); Response.Write("您提交的數據是：<br/><br/>" + Server.HtmlEncode(doc.OuterXml)); } else { Response.Write("不允許你的網站請求。"); } } } // --></mce:script>

點擊“開始測試”按鈕，將會執行下面的一系列請求。

OPTIONS /PreflightedRequests.aspx HTTP/1.1 Host: dotnet.aspx.cc User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Origin: http://www.meng_xian_hui.com:801 Access-Control-Request-Method: POST Access-Control-Request-Headers: powered-by-mengxianhui HTTP/1.x 200 OK Date: Sun, 10 Jan 2010 14:00:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Access-Control-Allow-Origin: http://www.meng_xian_hui.com:801 Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: POWERED-BY-MENGXIANHUI Access-Control-Max-Age: 30 Set-Cookie: ASP.NET_SessionId=5npqri55dl1k1zvij1tlw3re; path=/; HttpOnly Cache-Control: private Content-Length: 0 POST /PreflightedRequests.aspx HTTP/1.1 Host: dotnet.aspx.cc User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive POWERED-BY-MENGXIANHUI: Approve Content-Type: application/xml; charset=UTF-8 Referer: http://www.meng_xian_hui.com:801/CrossDomainAjax/PreflightedRequests.html Content-Length: 19 Origin: http://www.meng_xian_hui.com:801 Pragma: no-cache Cache-Control: no-cache <root>測試</root> HTTP/1.x 200 OK Date: Sun, 10 Jan 2010 14:00:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Access-Control-Allow-Origin: http://www.meng_xian_hui.com:801 Set-Cookie: ASP.NET_SessionId=byvose45zmtbqy45d2a1jf2i; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 65

 

以上的代碼反映了預檢請求的執行過程：首先發送 OPTIONS 請求頭，用來向服務器諮詢服務器的更多信息，以便爲後續的真實請求做準備。比如是否支持 POST 方法等。值得注意的是：

瀏覽器還發送 Access-Control-Request-Method: POST 和 Access-Control-Request-Headers: powered-by-mengxianhui 請求頭。

注意：以上過程是第一次請求的時候的過程，如果在 30 秒內重複點擊按鈕，你可以看不到 OPTIONS 這一過程。則執行過程是這樣的：

 

POST /PreflightedRequests.aspx HTTP/1.1 Host: dotnet.aspx.cc User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive POWERED-BY-MENGXIANHUI: Approve Content-Type: application/xml; charset=UTF-8 Referer: http://www.meng_xian_hui.com:801/CrossDomainAjax/PreflightedRequests.html Content-Length: 19 Origin: http://www.meng_xian_hui.com:801 Pragma: no-cache Cache-Control: no-cache <root>測試</root> HTTP/1.x 200 OK Date: Sun, 10 Jan 2010 14:06:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Access-Control-Allow-Origin: http://www.meng_xian_hui.com:801 Set-Cookie: ASP.NET_SessionId=qs1c4urxywdbdx55u04pvual; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 65

 

爲什麼會這樣？細心的童鞋可能注意到了，在服務器端有一行代碼 Response.AddHeader("Access-Control-Max-Age", "30");  它是用來設置預檢的有效時間的，單位是秒。這一點要特別注意。