cross-domain key knowledge
JSONP0
1 IE era compromise
CORS
a way to break through browser limitations
JSONP0
1 IE era compromise 2
homology policy
what is cognate ?
source: protocol + domain name + port
if two url protocols, the domain name and port number are identical, then the two url are of the same origin.
http://www.baidu.com and http://baidu.com are different sources because they are not exactly the same
same-origin policy definition
if JS runs in source A, then JS can only get the data in A, but not the data in source B.
even if JS is downloaded from source B and runs in A, it cannot read the data from source B.
in simple terms, the same-origin policy is that pages from different sources are not allowed to access data from each other
why is
to protect user privacy
if do not have the same-origin policy
unable to distinguish between the sender
here if the page to access the page B (different source), then A will send the request, the request (if) the hacker and almost normal request there is no difference between referer distinguishing (only request), if you don’t check the referer background, that is no different with normal.
isn’t it good to check referer?
what if, in case you don’t check it, the whole page is in danger?The safety of the chain depends on the weakest link. So in case you forget to check it, you have a big problem.
how to cross domain
CORS
to share data, it should be declared in advance. If A wants to access the data of B, it only needs to write B in the response header of A to access it, and the specific syntax can be checked by MDN.
yes, it’s that simple.
JSONP
IE does not support CORS
then JSONP appears.
JSONP works as follows: A can refer to B’s JS, but cannot access data. So we write to the JS object , and then A references JS, and then we will get the data successfully.
steps
- B writes the data to A JS file
- A reference JS file
- JS file executes the predefined function window.XXX
- A executes the function window.XXX
0
1
and then the data will be read successfully.
I won’t show you the
code, but it’s that simple.
Read More:
- Solved: No’Access-Control-Allow-Origin’ cross-domain issue
- Tainted canvases may not be exported
- Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://xxx.cn’) does n
- JS error: permission denied to access property ‘document’— document.domain -The same source strategy of JavaScript
- Uncaught domexception: failed to read the ‘contentdocument’ property from ‘htmliframeelement’
- Network error — browser error [How to Solve]
- HTML method IE8 reports an error, IE8 jQuery Ajax obtains static resources reports an error, typeerror denies access
- To solve the problem of failed to load: data in HTML5 game running rmmv locally/ actors.json problem
- Springboot plus cross domain annotation @crossorigin startup error
- PHP & nbsp; built in server array
- JS opens a new tab( window.open Application)
- Ajax error reporting cross domain, AJAX cross domain access error 501 solution
- Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR
- The resource has been blocked.
- Click the button to use in the react project window.open Methods open a new page and click the data again
- WebView loadrequest request request error “nsurlconnection finished with error – Code – 1022”
- Springboot project: error parsing HTTP request header note: further occurrences of HTTP request parsing
- Solving attributeerror: module ‘urllib’ has no attribute ‘request’
- Nextcloud error: “access forbidden CSRF check failed”
- CentOS 7 installation error: Cannot find a valid baseurl for repo: base/7/x86_6