This security issue should be attributed to JavaScript. Generally, server A is set up to not allow machine B in another domain to execute ajax on B to call resources on server A. Here is a simple example of a security risk:
Assuming that ajax can be accessed from a domain, I can write ajax on my own machine to request resources in various Google web applications. For example, I first use firefox to study the addresses and parameters of a large number of ajax requests by GMail during the login process, and I can get the user cookie verification process. Then write js to obtain other users' cookies across domains, so that you can bypass the user's GMail password and log into other people's GMail mailboxes.
With ajax cross-domain restrictions, is it really impossible to do ajax to break domain access?
It is true that ajax cannot break the domain, but we can implement it through relay. The so-called proxy principle is very simple. You can set up your own container between your own js and the resources of remote server A. You can use asp, php, java, .net, etc. A possible dynamic web language is asp as an example (obtain the friend list of a user on the Redekuai website and return the xml data format)
<%
p = " http://redekuai.com/api/user_friends_xml/funy "
Response.BinaryWrite ZQcnGet(p)
Response.Flush
Function ZQcnGet(url)
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", url, False, "", ""
.Send
ZQcnGet = .ResponseBody
End With
Set Retrieval = Nothing
End Function
%>
Save this code as a proxy.asp, and then put it in IIS. At this time, you can find a machine to write js, and use ajax to request proxy.asp. In the end, it is equivalent to realizing ajax domain access.
PHP sample code is simpler
echo file_get_contents(" http://redekuai.com/api/user_friends_xml/funy "");
?>
Note: The php version needs to be >= 4.3.0.
Here is a sample code for the asp.net (C#) version:
using System.Net;
using System.IO;
using System.Text;
public partial class ajaxpages: System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
WebRequest wr = WebRequest.Create(" http://redekuai.com/api/user_friends_xml/funy ");
WebResponse wres = wr.GetResponse ();
Encoding resEncoding = System.Text.Encoding.GetEncoding("utf-8");
StreamReader sr = new StreamReader(wres.GetResponseStream(), resEncoding);
string html = sr.ReadToEnd();
Response.Write(html);
sr.Close();
wres.Close();
}
}
Respectively proxy.asp proxy.php proxy.aspx
So what is the practical significance of doing a good job as a proxy and enabling js domain access to remote website resources on your own general machine (not a web server)?
You know, the current Internet technology has entered the absolute Mashup era. There are more than 2,000 companies in the United States relying on Facebook APP to survive. Is it true that this kind of foreign industrial chain cannot be developed in China? You must know that the Internet will also become China's infrastructure in 5 years. There are already relatively good web2.0 sites that are opening APIs (shooting again, getting hot quickly) or preparing to open them.