Question

我正在编写一个简单的应用程序来从http://feeds.bbci.co.uk/news/rss.xml的bbc rss Feed中提取新闻报道。

它需要完全在客户端上运行而不是使用jQuery，因此JSONP不是一个可能的解决方案。我一直在使用localhost上的IE进行测试，然后单击“允许内容”按钮，该按钮会在检测到跨站点请求时弹出。 Chrome和Firefox并不是那么容易让他们允许这样做，我现在想在这些浏览器上进行测试，看看我的应用程序是否适用于它们。

到目前为止...... 我已经尝试更改我的Javascript以使用像这样的CORS请求...

function createCORSRequest(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {

    // Check if the XMLHttpRequest object has a "withCredentials" property.
    // "withCredentials" only exists on XMLHTTPRequest2 objects.
    xhr.open(method, url, true);

  } else if (typeof XDomainRequest != "undefined") {

    // Otherwise, check if XDomainRequest.
    // XDomainRequest only exists in IE, and is IE's way of making CORS requests.
    xhr = new XDomainRequest();
    xhr.open(method, url);

  } else {

    // Otherwise, CORS is not supported by the browser.
    xhr = null;

  }
  return xhr;
}

var xhr = createCORSRequest('GET', feedURL);
	xhr.withCredentials = true;
	if (!xhr) {
	  throw new Error('CORS not supported');
	}
	xhr.onload = function() {
	    if (xhr.status === 200) {
	    	var xmlDoc;
			if (window.DOMParser){
				parser = new DOMParser();
				xmlDoc = parser.parseFromString(xhr.responseText,"text/xml");
			}
			else{ // Internet Explorer
				xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
				xmlDoc.async=false;
				xmlDoc.loadXML(xhr.responseText); 
			}

			//do some stuff
	    }
	    else {
	        alert('Request failed.  Returned status of ' + xhr.status);
	    }
	};
	xhr.send();

我还将它上传到我的网络服务器并使用IIS 6进行托管。我添加了一个带有这些设置的网络配置。

<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
  </system.web>
  <system.webServer>
  	<httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
    <defaultDocument>
      <files>
        <add value="rss.html" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

我发现了一篇关于在IIS中设置Handler Mappings的文章。建议将OPTIONSVerbHandler设置为ISAPI ...但是我没有这个设置。

任何可以对此有所了解的人。我将不胜感激。

enter image description here

Answer 1

经过更多的研究。似乎最简单的解决方案是创建自己的代理。

将静态网站转换为空白的ASP.Net Web应用程序
在项目中创建一个与服务器联系bbc Feed的通用处理程序
从客户端JS

这是我感兴趣的人的处理程序

using System;

使用System.Collections.Generic; 使用System.IO; 使用System.Linq; 使用System.Net; 使用System.Web; 使用System.Xml;

命名空间Feed { /// /// rss的摘要说明 /// 公共类rss：IHttpHandler {

    public void ProcessRequest(HttpContext context)
    {
        string locationsRequest = CreateRequest();
        context.Response.Write(locationsRequest);
    }

    public bool IsReusable
    {
        get
        {
            return false;
        }
    }

    public static string CreateRequest()
    {
        return XmlHttpRequest("http://feeds.bbci.co.uk/news/rss.xml", "");
    }

    public static string XmlHttpRequest(string urlString, string xmlContent)
    {
        string response = null;
        HttpWebRequest httpWebRequest = null;//Declare an HTTP-specific implementation of the WebRequest class.
        HttpWebResponse httpWebResponse = null;//Declare an HTTP-specific implementation of the WebResponse class

        //Creates an HttpWebRequest for the specified URL.
        httpWebRequest = (HttpWebRequest)WebRequest.Create(urlString);

        try
        {
            byte[] bytes;
            bytes = System.Text.Encoding.ASCII.GetBytes(xmlContent);
            //Set HttpWebRequest properties
            httpWebRequest.Method = "POST";
            httpWebRequest.ContentLength = bytes.Length;
            httpWebRequest.ContentType = "text/xml; encoding='utf-8'";

            using (Stream requestStream = httpWebRequest.GetRequestStream())
            {
                //Writes a sequence of bytes to the current stream 
                requestStream.Write(bytes, 0, bytes.Length);
                requestStream.Close();//Close stream
            }

            //Sends the HttpWebRequest, and waits for a response.
            httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();

            if (httpWebResponse.StatusCode == HttpStatusCode.OK)
            {
                //Get response stream into StreamReader
                using (Stream responseStream = httpWebResponse.GetResponseStream())
                {
                    using (StreamReader reader = new StreamReader(responseStream))
                        response = reader.ReadToEnd();
                }
            }
            httpWebResponse.Close();//Close HttpWebResponse
        }
        catch (WebException we)
        {   //TODO: Add custom exception handling
            throw new Exception(we.Message);
        }
        catch (Exception ex) { throw new Exception(ex.Message); }
        finally
        {
            httpWebResponse.Close();
            //Release objects
            httpWebResponse = null;
            httpWebRequest = null;
        }
        return response;
    }
}

}

为什么我的XMLHttpRequest不允许XSS？

1 个答案: