为什么我的XMLHttpRequest不允许XSS？

Question

我正在写一个简单的应用程序来从bbc rss feed中删除新闻报道http://feeds.bbci.co.uk/news/rss.xml。

它需要完全在客户端上运行，而不是使用jQuery，所以JSONP不是一个可行的解决方案。我一直在使用本地主机上的IE进行测试，并且在检测到跨站点请求时单击弹出的“允许内容”按钮。 Chrome和Firefox并不是那么容易让他们接受这一点，现在我想在这些浏览器上进行测试，看看我的应用是否适用于他们。

到目前为止..... 我试图改变我的JavaScript使用像这样一个CORS请求......

function createCORSRequest(method, url) { 
 
    var xhr = new XMLHttpRequest(); 
 
    if ("withCredentials" in xhr) { 
 

 
    // Check if the XMLHttpRequest object has a "withCredentials" property. 
 
    // "withCredentials" only exists on XMLHTTPRequest2 objects. 
 
    xhr.open(method, url, true); 
 

 
    } else if (typeof XDomainRequest != "undefined") { 
 

 
    // Otherwise, check if XDomainRequest. 
 
    // XDomainRequest only exists in IE, and is IE's way of making CORS requests. 
 
    xhr = new XDomainRequest(); 
 
    xhr.open(method, url); 
 

 
    } else { 
 

 
    // Otherwise, CORS is not supported by the browser. 
 
    xhr = null; 
 

 
    } 
 
    return xhr; 
 
}

var xhr = createCORSRequest('GET', feedURL); 
 
\t xhr.withCredentials = true; 
 
\t if (!xhr) { 
 
\t throw new Error('CORS not supported'); 
 
\t } 
 
\t xhr.onload = function() { 
 
\t  if (xhr.status === 200) { 
 
\t  \t var xmlDoc; 
 
\t \t \t if (window.DOMParser){ 
 
\t \t \t \t parser = new DOMParser(); 
 
\t \t \t \t xmlDoc = parser.parseFromString(xhr.responseText,"text/xml"); 
 
\t \t \t } 
 
\t \t \t else{ // Internet Explorer 
 
\t \t \t \t xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); 
 
\t \t \t \t xmlDoc.async=false; 
 
\t \t \t \t xmlDoc.loadXML(xhr.responseText); 
 
\t \t \t } 
 

 
\t \t \t //do some stuff 
 
\t  } 
 
\t  else { 
 
\t   alert('Request failed. Returned status of ' + xhr.status); 
 
\t  } 
 
\t }; 
 
\t xhr.send();

我也上传到我的Web服务器，并与IIS 6托管它。我添加了一个Web配置，与这些设置。

<configuration> 
 
    <system.web> 
 
    <compilation debug="true" targetFramework="4.5" /> 
 
    <httpRuntime targetFramework="4.5" /> 
 
    </system.web> 
 
    <system.webServer> 
 
    \t <httpProtocol> 
 
    <customHeaders> 
 
     <add name="Access-Control-Allow-Origin" value="*" /> 
 
    </customHeaders> 
 
    </httpProtocol> 
 
    <defaultDocument> 
 
     <files> 
 
     <add value="rss.html" /> 
 
     </files> 
 
    </defaultDocument> 
 
    </system.webServer> 
 
</configuration>

我发现有关在IIS中设置处理程序映射的文章。建议将OPTIONSVerbHandler设置为ISAPI ...但是我没有这个设置。

任何人都可以对此有所了解。我将不胜感激。

Answer 1

进一步的研究之后。似乎最简单的解决方案是创建我自己的代理。

• 转换的静态站点到一个空白的ASP.Net Web应用程序
• 在项目中创建从服务器联系BBC饲料
• 呼叫通用的处理程序，从客户端JS

处理器

这里是我的System.Collections中使用任何有兴趣

using System; 

处理器.Generic;使用System.IO的 ;使用System.Linq的 ;使用System.Net的 ; using System.Web;使用System.Xml的 ;

命名空间订阅 { /// ///概要说明对RSS /// 公共类RSS：的IHttpHandler {

public void ProcessRequest(HttpContext context) 
    { 
     string locationsRequest = CreateRequest(); 
     context.Response.Write(locationsRequest); 
    } 

    public bool IsReusable 
    { 
     get 
     { 
      return false; 
     } 
    } 

    public static string CreateRequest() 
    { 
     return XmlHttpRequest("http://feeds.bbci.co.uk/news/rss.xml", ""); 
    } 

    public static string XmlHttpRequest(string urlString, string xmlContent) 
    { 
     string response = null; 
     HttpWebRequest httpWebRequest = null;//Declare an HTTP-specific implementation of the WebRequest class. 
     HttpWebResponse httpWebResponse = null;//Declare an HTTP-specific implementation of the WebResponse class 

     //Creates an HttpWebRequest for the specified URL. 
     httpWebRequest = (HttpWebRequest)WebRequest.Create(urlString); 

     try 
     { 
      byte[] bytes; 
      bytes = System.Text.Encoding.ASCII.GetBytes(xmlContent); 
      //Set HttpWebRequest properties 
      httpWebRequest.Method = "POST"; 
      httpWebRequest.ContentLength = bytes.Length; 
      httpWebRequest.ContentType = "text/xml; encoding='utf-8'"; 

      using (Stream requestStream = httpWebRequest.GetRequestStream()) 
      { 
       //Writes a sequence of bytes to the current stream 
       requestStream.Write(bytes, 0, bytes.Length); 
       requestStream.Close();//Close stream 
      } 

      //Sends the HttpWebRequest, and waits for a response. 
      httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse(); 

      if (httpWebResponse.StatusCode == HttpStatusCode.OK) 
      { 
       //Get response stream into StreamReader 
       using (Stream responseStream = httpWebResponse.GetResponseStream()) 
       { 
        using (StreamReader reader = new StreamReader(responseStream)) 
         response = reader.ReadToEnd(); 
       } 
      } 
      httpWebResponse.Close();//Close HttpWebResponse 
     } 
     catch (WebException we) 
     { //TODO: Add custom exception handling 
      throw new Exception(we.Message); 
     } 
     catch (Exception ex) { throw new Exception(ex.Message); } 
     finally 
     { 
      httpWebResponse.Close(); 
      //Release objects 
      httpWebResponse = null; 
      httpWebRequest = null; 
     } 
     return response; 
    } 
} 

}