preface

This series started with preparing yourself for an interview. Later found more and more sorting, almost 120,000 characters, finally decided to share to everyone.

In order to share the sorting out, I spent a lot of time, at least three times as much time as ONLY myself. If you like, welcome to collect, follow me! Thank you very much!

The article links

  • Front – end interview check and fill gaps -(1) tremble and throttling
  • (2) Garbage collection mechanism
  • (3) Cross-domain and common solutions
  • (4) Front-end local storage
  • (5) Rendering mechanism and redraw and backflow
  • Front – end interview -(six) browser cache
  • (7) XSS attack and CSRF attack
  • (8) Front-end encryption
  • (9) HTTP and HTTPS
  • Check and fill gaps in front interview –(10) Front authentication
  • (11) Front-end software architecture pattern MVC/MVP/MVVM
  • (12) From the input URL to the page to see the whole process (including three handshake, four wave detailed explanation)
  • Front – end interview leak -(13) memory leak
  • Front – end interview omission and filling -(xiv) algorithm and sorting
  • (15) Event Loop

Collection of articles:

The Index (120,000 character collection) contains more than a dozen other articles in the series written so far. The following new value-added articles will not be added in each link, strongly suggest that the comments like, pay attention to the collection!!!! , thank you! ~

Follow-up Update Plan

Design pattern, front-end engineering, project process, deployment, closed loop, vUE often test knowledge and other contents will be added in the future. If you think the content is good, welcome to collect, follow me! Thank you very much!

Ask for an extrapolation

At present, I am also preparing for job-hopping. I hope you and HR sister can promote a reliable front-end position in Wuhan! Email :[email protected]. Thanks! ~

cookie

role

Cookies are plain text and have no executable code. Data storage: When a user visits a website, we can use cookies to store data on the visitor’s computer, or some websites store data (usually encrypted) on the user’s local terminal for identification and session tracking.

When a web page makes an HTTP request, the browser checks to see if there is a cookie. If there is, it automatically adds the cookie field in the request header. The browser does it for us automatically, and it does it for us automatically every time we make an HTTP request. This feature is important because it relates to “what kind of data is appropriate to store in a cookie.”

The data stored in the cookie is automatically placed in the HTTP request by the browser every time. If the data is not sent to the server on every request, the browser’s automatic processing will increase the network overhead. But if the data is data that needs to be sent to the server on every request (such as authentication information), the browser can set it up to handle it automatically, eliminating the need to add it again and again. So the type of information that is set to “carry on every request (typically authentication information)” is particularly suitable for cookies, and other types of data are not.

Characteristics of the

  1. Different browsers store the cookie location is not the same, is not universal.
  2. Cookie storage is distinguished in the form of domain names, and the cookies stored in different domains are independent.
  3. We can set the domain where the cookie takes effect (the subdomain of the domain where the cookie is currently set), that is, we can operate the cookie is the current domain and all subdomains under the current domain
  4. The number of cookies stored in a domain name is limited. The number of cookies stored in different browsers is different, generally 20.
  5. The content size of each cookie is also limited. Different browsers store different sizes, usually 4KB.
  6. Cookies can also be set to expire at the end of the session. By default, cookies are automatically destroyed when the time expires

Cookies are mainly used in the following three aspects:

  • Session state management (such as user login status, shopping cart, game scores, or other information that needs to be recorded)
  • Personalization (such as user-defined Settings, themes, etc.)
  • Browser behavior tracking (e.g., tracking and analyzing user behavior)

Set up the

  • Client Settings:
document.cookie = 'Name = value';
document.cookie = 'username=cfangxu; domain=baike.baidu.com'    // And set the effective domain
// When these properties are set, they are separated by a semicolon and a space.

// When we need to set multiple cookies
document.cookie = "name=Jonh";
document.cookie = "age=12";
document.cookie = "class=111";
Copy the code

Note: Clients can set cookie options such as Expires, domain(the server domain name), path(which path in the domain can accept cookies), and Secure (conditional: The client can only successfully set a Secure cookie in an HTTPS web page, but the HttpOnly option cannot be set.

  • Server side Settings

Whether you request a resource file (such as HTML/JS/CSS/images) or send an Ajax request, the server will return a response. The response header has an item called set-cookie, which is used by the server to set cookies.

Set-Cookie  // The header is a string in the following format (the part in brackets is optional) :
Set-Cookie: value[; expires=date][; domain=domain][; path=path][; secure]
Copy the code

Note: A set-cookie field can only set one Cookie. When you want to set multiple cookies, you need to add the same number of set-cookie fields. All cookie options can be Set on the server: Expires, Domain, path, Secure, HttpOnly The options specified by set-cookie are only used in the browser and are not sent to the server.

read

When we obtain the cookie under the current website through document.cookie, we get the value in the form of string, which contains all the cookies under the current website (to avoid cross-domain scripting (XSS) attacks, this method can only obtain the non-Httponly type cookies). It concatenates all cookies with a semicolon + space. For example, username=chenfangxu; job=coding

Modify the cookie

To change a cookie, all you need to do is reassign the value, and the old value is overwritten by the new value. Note, however, that when setting the new cookie, the path/domain options must remain the same as the old cookie. Otherwise, the old value is not changed, but a new cookie is added.

Delete Set the expiration time of the cookie to the past time. The path/domain/ options make sure that the old cookie remains the same.

Pay attention to

  • The cookie is a string, but in this string, commas, semicolons, and Spaces are treated as special symbols. Therefore, when the key and value of cookie contain these three special characters, it is necessary to carry out extra encoding, usually with escape encoding, read with unescape decoding; Of course you can also use encodeURIComponent decodeURIComponent or encodeURI/decodeURI (the difference between the three can refer to this article).

  • When the cookie is overwritten: when the name, domain, and path fields are the same;

expires

The Expires option sets when a cookie is valid. ** Expires is actually the expiration Date of a cookie **. Expires must be a time in GMT format (which can be obtained by new Date().togmtString () or new Date().toutcString ()).

For example, expires=Thu, 25 Feb 2016 04:18:00 GMT means that the cookie will expire after 4:18 on February 25, 2016, and the browser will clear the expired cookie. If this option is not set, the default validity period is session, or session cookie. The cookie is gone after the browser is closed.

Expires was an option in HTTP /1.0. In the new HTTP /1.1 protocol, expires has been replaced by max-age, both of which limit how long cookies can be valid. The expires value is a point in time (cookie expiration = Expires), while the max-age value is a time period in seconds (cookie expiration = creation time + max-age). In addition, the default value of max-age is -1(that is, the validity period is session). If max-age has three possible values: negative, 0, and positive. Negative: Valid session; 0: delete cookies. Positive: The validity period is creation time + max-age

Domain and path

A domain is a domain name, and a path is a path. Together, the domain and path form a URL. Together, the domain and path restrict which urls a cookie can be accessed by.

In a word: The domain of a cookie is “baidu.com” and the path is “/”. If the requested URL can be js/ HTML /img/ CSS resource request, The domain name is “baidu.com” or its subdomain is “api.baidu.com” or “dev.api.baidu.com”, and the URL path is “/” or its subpath is “/home” or “/home/login”. The browser adds the cookie to the cookie header of the request.

So the domain and path2 options together determine when the cookie is automatically added to the request header by the browser and sent out. If these options are not set, the default values are used. The default value of domain is the domain name of the page where the cookie is set, and the default value of path is the directory of the page where the cookie is set.

secure

Generally, cookie information is transmitted through HTTP connection, which is easy to be viewed, so the information stored in cookie is easy to be stolen. If what is passed in the cookie is important, then encrypted data transmission is required.

The secure option is used to set cookies to be sent only in secure requests. Cookies containing the Secure option can only be sent to the server when the request is HTTPS or other security protocol.

document.cookie = "username=cfangxu; secure"

If the cookie is set to Secure, only the data transmission between the cookie and the server is encrypted, but the local cookie files are not encrypted. Setting the secure attribute does not mean that others cannot see cookies stored locally on your machine. Confidential and sensitive information should never be stored or transmitted in cookies because the entire mechanism of cookies is inherently insecure

Note: If you want to use javascript to set secure cookies on a web page, you must ensure that the web page is HTTPS. Secure cookies cannot be set on HTTP web pages.

httpOnly

This option is used to set whether the cookie can be accessed through js. By default, cookies do not have the httpOnly option, so by default, the client can access the cookie (including reading, modifying, deleting, etc.) through JS code. When the cookie has the httpOnly option, the client cannot access (including reading, modifying, deleting, etc.) the cookie through JS code.

It is not possible to set an httpOnly type cookie on the client via JS code. This type of cookie can only be set on the server.

– httpOnly and security

From this introduction, you may wonder: why do we want to restrict client access to cookies? It’s really about safety.

Imagine what would happen if any cookie could be obtained by the client through document.cookie. When our web page suffered XSS attack, there is a malicious script inserted into the web page. This script reads the user’s authenticated cookies through document.cookie and sends them to the attacker’s server. An attacker has easy access to the user’s authentication information, and can then waddled into your server pretending to be that user (because the attacker has valid user authentication information, it will pass your server authentication).

Third party cookies

Usually the domain of the cookie matches the domain of the browser address, which is called a first-party cookie. A third-party cookie is when the domain of the cookie and the domain in the address bar do not match. This cookie is usually used on third-party advertising sites. In order to track users’ browsing history and push relevant advertisements to users according to the collected browsing habits of users. Check out this article about third-party cookies and cookie security

  • Cookie Recommended Resources

    • Talk about the cookie
    • HTTP cookies,

A session is different from a cookie

  • The session is stored on the server and the cookie is stored on the client
  • A time object stored in a session. A cookie is a string
  • Sessions are pathless; all sessions can be accessed from anywhere during a user’s visit to a site
  • Cookie If the path is set, it cannot be accessed in some places
  • A session needs cookies to work properly. If cookies are disabled, the session becomes invalid
  • When the client sends the request, it automatically encapsulates the locally alive cookie in the message hairs to the server copy code

Session and Cookie application scenarios

  • Session context mechanism that identifies customers by sessionID for each user
  • Session is based on a cookie or URL rewrite. By default, a cookie is used. The system creates an output cookie named jSessionID
  • Session is used for important state, cookie is used for unimportant state, session is used for login information, and cookie is used for shopping cart

LocalStorage (localStorage)

HTML5 new method, only IE8 and above compatible.

Features:

  • Life cycle: Persistent local storage that never expires unless actively deleted.
  • Stored information is shared in the same domain.
  • When localStorage is added, modified, or deleted on this page, this page does not trigger the storage event, but other pages will trigger the storage event.
  • Size: said to be 5M (depending on browser vendor)
  • It can be opened locally in non-IE browsing. Open Internet Explorer on the server.
  • LocalStorage is essentially to read the string, if the storage content will consume memory space, will cause the page card
  • LocalStorage is restricted by the same origin policy

Set up the

localStorage.setItem('username','cfangxu');

To obtain

Localstorage.getitem (‘username’) can also get the first key name localstorage.key (0) #

delete

Localstorage.removeitem (‘username’) can also clear all the items at once. Localstorage.clear ()

Storage events

Triggered when the storage changes.

Note: An action on a storage on the current page triggers an event on another page. The event callback is a StorageEvent object that provides some useful properties, as shown in the following table:

Property Type Description
key String The named key that was added, removed, or moddified
oldValue Any The previous value(now overwritten), or null if a new item was added
newValue Any The new value, or null if an item was added
url/uri String The page that called the method that triggered this change

Js triggers events across pages, using storage listening events to trigger storage event conditions:

  • Two homologous pages open in the same browser
  • One of the pages modifies localStorage
  • Another web page registered the event

sessionStorage

In fact, similar to localStorage, is also localStorage, local session storage

The characteristics of

  • Used to store data locally from a session, which is accessible only from pages in the same session and is destroyed when the session ends. Therefore, sessionStorage is not a persistent local storage, but only session-level storage. That is, as long as the browser window is not closed, the data will still exist even if the page is refreshed or if you go to another page. After the window is closed, the sessionStorage is destroyed, or another page of the same source is opened in a new window, and the sessionStorage does not exist.

Cookie, localStorage, and sessionStorage are different

  • Same: Store data locally (on the browser side)
  • Different:
    • LocalStorage as long as in the same protocol, the same host name, the same port, can read/modify to the same localStorage data.

    • SessionStorage is a bit more stringent than localStorage. In addition to the protocol, host name, and port, sessionStorage must be in the same window (that is, the browser TAB).

    • LocalStorage is permanent storage unless manually deleted.

    • SessionStorage When the session ends (when the current page closes, automatic destruction)

    • Cookie data will be sent to the server every time the HTTP request is sent, but not to localStorage and sessionStorage.

Web SQL Database and indexedDB

I won’t go into more detail about these front-end stores that are not commonly used (in fact, I won’t =.=). Check out this article for more details

Thanks and Reference

  • Very full very full front end local storage explanation