Detailed introduction to same-origin and cross-domain front-end interviews-CSS Tutorial-php.cn

Home

Web Front-end

CSS Tutorial

Detailed introduction to same-origin and cross-domain front-end interviews

巴扎黑

Sep 14, 2017 am 09:36 AM

introduceDetails

Cross-domain is caused by the browser's same-origin policy. It refers to the url address requested by the page. It must be in the same domain as the url address on the browser (that is, the domain name, port, and protocol are the same). The following article explains Let me introduce to you the relevant information about the same origin and cross-domain that are necessary for front-end interviews. The article introduces it in detail through sample code. Friends who need it can refer to it.

Preface

As we all know, the browser’s same-origin strategy and cross-domain methods are also issues with a high appearance rate in front-end interviews. This article I mainly shared with you about the same-origin and cross-domain issues that will be encountered during front-end interviews. I won’t go into more details below. Let’s take a look at the detailed introduction.

What is the same-origin policy

The same-origin policy is used to restrict how documents or scripts loaded from one source can interact with documents or scripts loaded from another source. It is a key security mechanism for isolating potentially malicious files.

What is the same origin?

If the protocol, domain name and port are the same for two pages, then the two pages are of the same origin. For example: http://www.hyuhan.com/index.html For this website, the protocol is http, the domain name is www.hyuhan.com, the port is 80 (default port), and its origin is as follows:

http://www.hyuhan.com/other.html: same origin
http://hyuhan.com/other.html: different origin ( Different domain names)
https://www.hyuhan.com/other.html: Different sources (different protocols)
http:/ /www.hyuhan.com:81/other.html: Different sources (different ports)

The same-origin policy is to protect the security of user information. The main restrictions restricted by the same-origin policy are The following behaviors:

Cookie, LocalStorage and IndexDB cannot be read
DOM cannot be operated
AJAX request cannot be sent

How to perform cross-domain access

How to perform cross-domain AJAX request

There are three main methods to bypass the restrictions of the same-origin policy and make cross-domain AJAX requests.

JSONP

JSONP is a common method for cross-domain communication between the client and the server. Use the cross-domain

window.onload = function() {
    var script = document.createElement(&#39;script&#39;);
    script.src = "http://example.com/callback=test";
    document.appendChild(script);
}
function test(res) {
    console.log(res);
}

The callback parameter of src is used to set the name of the callback function that needs to be called by the backend. The data returned by the server is as follows:

test({
    "name": "小明",
    "age": 24
    })

In this way, the front-end can read the back-end data across domains. However, jsopn can only make get requests and cannot send post requests.

WebSocket

WebSocket is a new network protocol based on TCP. It does not implement the same-origin policy. As long as the server supports it, cross-domain access is possible. And WebSocket is not limited to Ajax communication, because Ajax technology requires the client to initiate a request, and the WebSocket server and client can push information to each other.

CORS

CORS is the abbreviation of Access-Control-Allow-Origin (cross-domain resource sharing), which is a W3C standard. CORS needs to be supported by both the browser and the server. Currently, basically all browsers support this feature. Server-side support for CORS is mainly performed by setting Access-Control-Allow-Origin. If the browser detects the corresponding settings, it can allow Ajax cross-domain access.

document.domain

Cookie is information written by the server to the browser. For security reasons, only web pages with the same origin can be shared. However, if the first-level domain names of the two web pages are the same but the domain names of the headphones are different, you can share cookies by setting document.domain.

For example, the domain name of one web page is http://w1.example.com/a.html and the domain name of another web page is http://w2.example.com/b.html. As long as they are set the same document.domain, the two web pages can share cookies.

postMessage API

The postMessage() method allows scripts from different sources to communicate in an asynchronous manner in a limited manner, enabling cross-document, multi-window, and cross-domain messaging. . Use the postMessage() function to pass the message, and the target page listens to the message event of the window to receive the message. Using postMessage, we can read LocalStorage, IndexDB and DOM data across domains.

window.name

The browser window has the window.name attribute. This attribute stipulates that regardless of whether it has the same source or not, as long as it is in a window, the previous web page is set This attribute can be read by the next web page. That is, within the life cycle of a window (window), all pages loaded by the window share a window.name. Each page has read and write permissions for window.name. Window.name persists in a window. of all pages loaded. Obviously, this can achieve cross-domain access.

The above is the detailed content of Detailed introduction to same-origin and cross-domain front-end interviews. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Understanding How Reducers are Used in ReduxApr 15, 2025 am 10:08 AM

A reducer is a function that determines changes to an application’s state. It uses the action it receives to determine this change. We have tools, like Redux,

Netlify CMS Open AuthoringApr 15, 2025 am 10:07 AM

I like the term "Git-backed CMS." That term works for an emerging style of CMS that looks and behaves much like any other CMS, with a fascinating twist: it

Some Things You Oughta Know When Working with Viewport UnitsApr 15, 2025 am 10:05 AM

David Chanin has a quickie article summarizing a problem with setting an element's height to 100vh in mobile browsers and then also positioning something on

Show Search Button when Search Field is Non-EmptyApr 15, 2025 am 10:00 AM

I think the :placeholder-shown selector is tremendously cool. It allows you to select the placeholder of an input () when that placeholder is present.

The Trick to Animating the Dot on the Letter 'i'Apr 15, 2025 am 09:55 AM

Here’s the trick: by combining the Turkish letter "ı" and the period "." we can create something that looks like the letter "i," but is made from two separate

Weekly Platform News: WebAPK Limited to Chrome, Discernible Focus Rectangles, Modal Window APIApr 15, 2025 am 09:53 AM

In this week's roundup: "Add to home screen" has different meanings in Android, Chrome and Edge add some pop to focus rectangles on form inputs, and how

Making a Chart? Try Using Mobx State Tree to Power the DataApr 15, 2025 am 09:49 AM

Who loves charts? Everyone, right? There are lots of ways to create them, including a number of libraries. There’s D3.js, Chart.js, amCharts, Highcharts, and

Blocking Third-Party Hands from the Cookie JarApr 15, 2025 am 09:48 AM

Third-party cookies are set on your computer from domains other than the one that you're actually on right now. For example, if I log into css-tricks.com,

See all articles