在phonegap上安全的跨源ajax-Safecross-originajaxonphonegap

This is the first time I`m toying with PhoneGap, so I actually never needed Cross Origin Resource Sharing (CORS) before.

这是我第一次玩PhoneGap,所以我以前从未需要跨源资源共享(CORS)。

It is by default blocked, and the options I found in the web are either hacks or insecure. My question is: What is the best or proper way to accomplish server integration using PhoneGap?

它默认被阻止,我在网络上找到的选项要么是黑客攻击,要么是不安全的。我的问题是:使用PhoneGap完成服务器集成的最佳或正确方法是什么?

Bear in mind:

记住:

• I need session control serverside to keep the user logged in

我需要会话控制服务器端以保持用户登录

• The request is coming from a file in PhoneGap's webview so origin = null

该请求来自PhoneGap的webview中的文件,因此origin = null

• I'm using PHP serverside and have full control over it

我正在使用PHP服务器端并完全控制它

• is already added to config.xml (it enables me to reach out for the server, but doesn't guarantee it will respond to a cross-origin request)

已添加到config.xml中(它使我能够联系服务器,但不保证它将响应跨源请求)

A long search on the web lead me to:

在网上长时间搜索引导我:

Access-Control-Allow-Origin *
Access-Control-Allow-Credentials true

But I understood they're rather unsafe, specially combined. I could save the user session ID locally, but that seems hacky and unsafe.

但我明白他们是不安全的,特别是结合起来。我可以在本地保存用户会话ID,但这看起来很麻烦且不安全。

There's also JSONP to the rescue, but that also seems hacky, unsafe and won't persist my session ID.

救援还有JSONP,但这似乎也很麻烦,不安全,不会持久保存我的会话ID。

I could use a proxy server, but that seems far from optimal and as I understand it'll be hard to prevent an attacker to not use this same proxy server to perform the same operations.

我可以使用代理服务器,但这似乎远非最佳,据我所知,很难防止攻击者不使用相同的代理服务器执行相同的操作。

1 个解决方案