Javascript 如何读取跨域获取响应?
我知道这已经在这个网站和其他网站上讨论了很多,但我仍然无法读取跨域GET请求的响应 我正在测试一个网站,当GET请求发送到该网站时,该网站会使用CSRF令牌进行响应。该站点具有全面的CSP策略,并使用令牌响应以下请求:Javascript 如何读取跨域获取响应?,javascript,cross-domain,content-security-policy,Javascript,Cross Domain,Content Security Policy,我知道这已经在这个网站和其他网站上讨论了很多,但我仍然无法读取跨域GET请求的响应 我正在测试一个网站,当GET请求发送到该网站时,该网站会使用CSRF令牌进行响应。该站点具有全面的CSP策略,并使用令牌响应以下请求: <html> <body> <script> var HttpClient = function() { this.get = function(aUrl, aCallback) { var anHttpRequest
<html>
<body>
<script>
var HttpClient = function() {
this.get = function(aUrl, aCallback) {
var anHttpRequest = new XMLHttpRequest();
anHttpRequest.onreadystatechange = function() {
if (anHttpRequest.readyState == 4 && anHttpRequest.status == 200)
aCallback(anHttpRequest.responseText);
}
anHttpRequest.open( "GET", aUrl, true );
anHttpRequest.send( null );
}
}
var client = new HttpClient();
client.get('https://domain/csrf-token/', function(response) {
alert(response);
});
</script>
</body>
</html>
GET /csrf-token/ HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: https://*.amazonaws.com/test.html
Origin: https://*.amazonaws.com
Connection: close
HTTP/1.1 200 OK
Server: *****
Date: Mon, 21 Aug 2017 05:20:24 GMT
Content-Type: application/octet-stream
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
x-csrf-token: 1******825-01-RDDOhp****csrf-token
Set-Cookie: ****************************** cookie
X-xcustomheader-xxx: xxx-frontend
Strict-Transport-Security: max-age=604800
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=0
Content-Length: 57
1******825-01-RDDOhp****csrf-token
感谢您的耐心,因为我是跨域请求的初学者。此外,请务必提供任何有助于我更好地理解概念的链接。您的服务器应发送一个响应标题,如
访问控制允许来源:访问控制允许源代码响应头,则浏览器将阻止前端JavaScript代码访问响应。感谢您的澄清和链接。