Home > Article > Web Front-end > Detailed explanation of JS cross-domain issues_Basic knowledge

Detailed explanation of JS cross-domain issues_Basic knowledge

WBOYOriginal: 2016-05-16 16:30:281305browse

JavaScript is a front-end dynamic scripting technology often used in web development. In JavaScript, there is a very important security restriction called "Same-Origin Policy". This policy places important restrictions on the page content that JavaScript code can access, that is, JavaScript can only access content in the same domain as the document that contains it.

JavaScript security strategy is particularly important when performing multi-iframe or multi-window programming, as well as Ajax programming. According to this policy, JavaScript code contained in pages under baidu.com cannot access page content under the google.com domain name; even pages between different subdomains cannot access each other through JavaScript code. The impact on Ajax is that Ajax requests implemented through XMLHttpRequest cannot submit requests to different domains. For example, pages under abc.example.com cannot submit Ajax requests to def.example.com, etc.

However, when doing some in-depth front-end programming, cross-domain operations are inevitably required. At this time, the "same origin policy" appears to be too harsh. This article summarizes some technologies required for cross-domain on this issue.

Next we discuss cross-domain technology in two situations: first, we discuss cross-domain technology in different subdomains, and then we discuss cross-domain technology in completely different domains.

(1) Cross-domain technologies in different subdomains.
We will discuss two questions separately: the first question is how to make JavaScript calls across different subdomains; the second question is how to submit Ajax requests to different subdomains.

Let’s solve the first problem first. Suppose there are two different subdomains under the example.com domain: abc.example.com and def.example.com. Now suppose there is a page under def.example.com, which defines a JavaScript function:

Copy code The code is as follows:

function funcInDef() {

.....

}

We want to call the above function in a page under abc.example.com. Suppose that the page under abc.example.com we want to discuss is embedded in the page under def.example.com in the form of an iframe. In this case, we may try to make the following call in the iframe:

Copy code The code is as follows:

window.top.funcInDef();

Okay, we noticed that this call is prohibited by the "same origin policy" mentioned earlier, and the JavaScript engine will directly throw an exception.

In order to implement the above call, we can do it by modifying the domain attributes of the two pages. For example, we can add the following JavaScript code snippets to the top of the two pages above abc.example.com and def.example.com:

Copy code The code is as follows:

In this way, the two pages become the same domain, and the previous call can be executed normally.

One thing to note here is that the document.domain attribute of a page can only be set to a higher-level domain name (except for the first-level domain name), but cannot be set to a subdomain deeper than the current domain name. For example, the page abc.example.com can only set its domain to example.com, not sub.abc.example.com, and of course it cannot be set to the first-level domain name com.

The above example discusses the case where two pages belong to an iframe nested relationship. When the two pages have an open and opened relationship, the principle is exactly the same.

Now let’s solve the second problem: how to submit Ajax requests to different subdomains.

Normally, we will use code similar to the following to create an XMLHttpRequest object:

Copy code The code is as follows:

factories = [

Function() { return new XMLHttpRequest(); },

Function() { return new ActiveXObject("Msxml2.XMLHTTP"); },

Function() { return new ActiveXObject("Microsoft.XMLHTTP"); }

];

function newRequest() {

for(var i = 0; i < factories.length; i ) {

         try{

          var factory = factories[i];

              return factory();

           } catch(e) {}

}

Return null;

}

The above code references ActiveXObject for compatibility with IE6 series browsers. Every time we call the newRequest function, we get a newly created Ajax object, and then use this Ajax object to send an HTTP request. For example, the following code sends a GET request to abc.example.com:

Copy code The code is as follows:

var request = newRequest();
request.open("GET", "http://abc.example.com" );
request.send(null);

Assuming that the above code is included in a page under the abc.example.com domain name, the GET request can be sent successfully without any problems. However, if we now send a request to def.example.com, a cross-domain issue occurs and the JavaScript engine throws an exception.

The solution is to place a cross-domain file under the def.example.com domain, assuming it is called crossdomain.html; then move the definition of the previous newRequest function to this cross-domain file; and finally modify the document as before. The domain value is the same. At the top of the crossdomain.html file and the page that calls Ajax under the abc.example.com domain, add:

Copy code The code is as follows:

In order to use cross-domain files, we embed a hidden iframe pointing to cross-domain files in the page that calls Ajax under the abc.example.com domain, for example:

[code]
</iframe">http://def.example.com/crossdomain.html"></iframe</a>><br> </p> </div> <p> At this time, the page under the abc.example.com domain and the cross-domain file crossdomain.html are both under the same domain (example.com). We can call crossdomain in the page under the abc.example.com domain. newRequest function in html: </p> <p></p> <div class="codetitle"> <span><a style="CURSOR: pointer" data="58860" class="copybut" id="copybut58860" onclick="doCopy('code58860')"><u>Copy code</u></a></span> The code is as follows:</div> <div class="codebody" id="code58860"> <br> var request = window.frames["xd_iframe"].newRequest();<br> </div> <p> The request object obtained in this way can send an HTTP request to <a href="http://def.example.com">http://def.example.com</a>. </p> <p> (2) Cross-domain technologies in completely different domains. <br> If the top-level domain names are different, for example, example1.com and example2.com want to communicate on the front end through JavaScript, the required technology is more complicated. </p> <p> Before explaining cross-domain technologies in different domains, let us first make it clear that the technologies to be discussed below are also applicable to the previous situation across different sub-domains, because crossing different sub-domains is only a special case of cross-domain problems. Of course, using the right technology under the right circumstances can ensure better efficiency and higher stability. </p> <p> In short, according to different cross-domain needs, cross-domain technologies can be classified into the following categories: </p> <p>1. JSONP cross-domain GET request<br> 2. Achieve cross-domain through iframe <br> 3. Flash cross-domain HTTP request <br> 4. window.postMessage</p> <p>This article ends here first. We will introduce the 4 cross-domain technologies mentioned above in detail later on! </p></div><div class="nphpQianMsg"><div class="clear"></div></div><div class="nphpQianSheng"><span>Statement：</span><div>The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn</div></div></div><div class="nphpSytBox"><span>Previous article：<a class="dBlack" title="Detailed explanation of javascript prototype chain maintenance and inheritance_javascript skills" href="https://m.php.cn/faq/10347.html">Detailed explanation of javascript prototype chain maintenance and inheritance_javascript skills</a></span><span>Next article：<a class="dBlack" title="Detailed explanation of javascript prototype chain maintenance and inheritance_javascript skills" href="https://m.php.cn/faq/10349.html">Detailed explanation of javascript prototype chain maintenance and inheritance_javascript skills</a></span></div><div class="nphpSytBox2"><div class="nphpZbktTitle"><h2>Related articles</h2><em><a href="https://m.php.cn/article.html" class="bBlack"><i>See more</i><b></b></a></em><div class="clear"></div></div><ul class="nphpXgwzList"><li><b></b><a href="https://m.php.cn/faq/1609.html" title="An in-depth analysis of the Bootstrap list group component" class="aBlack">An in-depth analysis of the Bootstrap list group component</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/1640.html" title="Detailed explanation of JavaScript function currying" class="aBlack">Detailed explanation of JavaScript function currying</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/1949.html" title="Complete example of JS password generation and strength detection (with demo source code download)" class="aBlack">Complete example of JS password generation and strength detection (with demo source code download)</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/2248.html" title="Angularjs integrates WeChat UI (weui)" class="aBlack">Angularjs integrates WeChat UI (weui)</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/2351.html" title="How to quickly switch between Traditional Chinese and Simplified Chinese with JavaScript and the trick for websites to support switching between Simplified and Traditional Chinese_javascript skills" class="aBlack">How to quickly switch between Traditional Chinese and Simplified Chinese with JavaScript and the trick for websites to support switching between Simplified and Traditional Chinese_javascript skills</a><div class="clear"></div></li></ul></div></div><footer><div class="footer"><div class="footertop"><img src="/static/imghwm/logo.png" alt=""><p>Public welfare online PHP training，Help PHP learners grow quickly！</p></div><div class="footermid"><a href="https://m.php.cn/about/us.html">About us</a><a href="https://m.php.cn/about/disclaimer.html">Disclaimer</a><a href="https://m.php.cn/update/article_0_1.html">Sitemap</a></div><div class="footerbottom"><p> © php.cn All rights reserved </p></div></div></footer><script>isLogin = 0;</script><script type="text/javascript" src="/static/layui/layui.js"></script><script type="text/javascript" src="/static/js/global.js?4.9.47"></script></div><script src="https://vdse.bdstatic.com//search-video.v1.min.js"></script><link rel='stylesheet' id='_main-css' href='/static/css/viewer.min.css' type='text/css' media='all'/><script type='text/javascript' src='/static/js/viewer.min.js?1'></script><script type='text/javascript' src='/static/js/jquery-viewer.min.js'></script><script>jQuery.fn.wait = function (func, times, interval) { var _times = times || -1, //100次 _interval = interval || 20, //20毫秒每次 _self = this, _selector = this.selector, //选择器 _iIntervalID; //定时器id if( this.length ){ //如果已经获取到了，就直接执行函数 func && func.call(this); } else { _iIntervalID = setInterval(function() { if(!_times) { //是0就退出 clearInterval(_iIntervalID); } _times <= 0 || _times--; //如果是正数就 -- _self = $(_selector); //再次选择 if( _self.length ) { //判断是否取到 func && func.call(_self); clearInterval(_iIntervalID); } }, _interval); } return this; } $("table.syntaxhighlighter").wait(function() { $('table.syntaxhighlighter').append("<p class='cnblogs_code_footer'><span class='cnblogs_code_footer_icon'></span></p>"); }); $(document).on("click", ".cnblogs_code_footer",function(){ $(this).parents('table.syntaxhighlighter').css('display','inline-table');$(this).hide(); }); $('.nphpQianCont').viewer({navbar:true,title:false,toolbar:false,movable:false,viewed:function(){$('img').click(function(){$('.viewer-close').trigger('click');});}}); </script></body></html>