Same origin policy
In client-side programming languages, such as JavaScript and ActionScript, the same-origin policy is a very important security concept, which is of great significance in ensuring data security. The same-origin policy stipulates that cross-domain scripts are isolated. Scripts in one domain cannot access and operate most properties and methods of another domain. So what is the same domain and what is a different domain? When two domains have the same protocol (such as http), the same port (such as 80), and the same host (such as www.example.org), then we can consider them to be the same domain. For example, http://www.example.org/index.html and http://www.example.org/sub/index.html are in the same domain, while http://www.example.org, https://www Any two of .example.org, http://www.example.org:8080, http://sub.example.org will constitute a cross-domain. The same-origin policy should also handle some special situations, such as restricting the access permissions of scripts under the file protocol. Local HTML files are opened in the browser through the file protocol. If the script can access any other files on the hard disk through the file protocol, security risks will arise. Currently, IE8 still has such risks.
Affected by the same origin policy, cross-domain resource sharing will be restricted. However, with people's practice and the advancement of browsers, there is currently a lot of valuable experience accumulated and accumulated in the skills of cross-domain requests. Here I divide cross-domain resource sharing into two types, one is one-way data request, and the other is two-way message communication. Next, I will list some common cross-domain methods. The source code of the following cross-domain examples can be obtained here .
One-way cross-domain
JSONP
JSONP (JSON with Padding) is a simple and efficient cross-domain method. The script tag in HTML can load and execute JavaScript from other domains, so we can dynamically load resources from other domains through script tags. For example, if I want to load the data of domain B from the page pageA of domain A, then in the page pageB of domain B, I declare the data required by pageA in the form of JavaScript, and then use the script tag in pageA to load pageB, then in pageB The script will be executed. JSONP adds a callback function on this basis. After pageB is loaded, the function defined in pageA will be executed, and the required data will be passed to the function in the form of parameters. JSONP is easy to implement, but there are also some security risks. If a third-party script is executed at will, it can tamper with page content and intercept sensitive data. But when transferring data between trusted parties, JSONP is a very suitable choice.
Flash URLLoader
Flash has its own set of security policies. The server can use the crossdomain.xml file to declare which domain SWF files can be accessed. SWF can also use the API to determine which domains it can be loaded by. When accessing resources across domains, such as requesting data on domain www.b.com from domain www.a.com, we can use Flash to send HTTP requests. First, modify the crossdomain.xml on the domain www.b.com (usually stored in the root directory, if there is no need to create it manually), add www.a.com to the whitelist. Secondly, the HTTP request is sent through the Flash URLLoader, and finally, the response result is passed to JavaScript through the Flash API. Flash URLLoader is a very common cross-domain solution, but if it needs to support iOS, this solution cannot do anything.
Access Control
Access Control is a more transcendent cross-domain method. It is currently only supported in a few browsers. These browsers can send a cross-domain HTTP request (Firefox, Google Chrome, etc. are implemented through XMLHTTPRequest, and IE8 is implemented through XDomainRequest). The response to the request must include an Access-Control-Allow-Origin HTTP response header, which declares the accessibility of the requested domain. For example, www.a.com sends a cross-domain HTTP request to asset.php under www.b.com , then asset.php must add the following response header:
header("Access-Control-Allow-Origin: http://www.a.com");