1. What is the Same Origin policy? The Same Origin policy is a convention. It is the most core and basic security function of a browser. The same origin policy is a famous security policy proposed by Netscape. This strategy is now used by all browsers that support JavaScript. Same name means same domain name, same protocol, same port. A non-same-origin client script cannot read or write other resources without explicit authorization. When requesting data, the browser raises an exception in the console, indicating that access is denied.
Non-homogenous restrictions: Cookies cannot read dom cannot get Ajax requests cannot be sent
2. What is cross-domain
Cross-domain access refers to cross-domain access. The following cases are cross-domain access:
Cross-domain Cause Description Example Different domain names www.jd.com and www.taobao.com have the same domain names, Different ports www.jd.com:8080 and www.jd.com:8081 Different secondary domain names Item.jd.com and miaosha.jd.com If the domain name and port number are the same but the request path is different, the domain name does not belong to the cross-domain, for example:
www.jd.com/item
www.jd.com/goods
The cross-domain problem is a security limitation imposed by browsers on Ajax requests: Ajax requests from a page can only be in the path of the same domain name as the current page, which effectively prevents cross-site attacks.
Therefore: Cross-domain issues are a limitation against Ajax.
3. The json across domains
JSONP is JSON with Padding
In order to facilitate the use of data by clients, an informal transfer protocol was gradually developed, which was called JSONP. One of the key points of the protocol was to allow the user to pass a callback parameter to the server, which then wrapped the JSONP data as a function name when the server returned the data. The client can then customize its own functions to automatically process the returned data.
Due to the same origin policy, XmlHttpRequest only allows requests for resources from the current source (domain name, protocol, port). And dynamically add one
The advantage of JSONP is that it is not constrained by the same origin policy as Ajax requests implemented by XmlHttpRequest objects; It is more compatible, runs in older browsers (IE is cross-domain JSONP), and does not require XmlHttpRequest or ActiveX support. After the request is complete, the result can be returned by calling callback.
Limitation: Only GET requests can be made for services requiring support
4. CORS across domains
CORS: Cross-origin Resource Sharing.
CORS requires the support of both the browser and the server to achieve cross-domain requests. At present, almost all browsers support CORS, and Internet Explorer cannot be lower than Internet Explorer 10. The entire process of CORS is done automatically by the browser, without any front-end Settings, just like normal Ajax requests. Therefore, the key to achieve CORS lies in the server. As long as the server implements CORS interface, cross-domain communication can be realized.
It allows browsers to issue XMLHttpRequest requests across source servers, overcoming the limitation that AJAX can only be used in the same source.
For simple requests, the browser sends the CORS request directly, specifically by adding the Origin request header field to the header. Also, in the response header, the relevant CORS header field set by the server is returned, with the Access-Control-Allow-Origin field as the source to Allow cross-domain requests. When a request is made, the browser describes the source of the request in Origin in the request header. After receiving the request, the server returns the request successfully.
Simple request (1) The request method is one of the following three methods: HEAD GET POST
(2) The HTTP header does not exceed the following fields: Accept accept-language Content-language last-event-ID
Content-type: Application/X-www-form-urlencoded, multipart/form-data, Text /plain When a browser discovers that an Ajax request is simple, it will carry a field in the request header: application/ X-www-form-urlencoded, multipart/form-data, text/plain Origin.
Origin indicates which domain (protocol + domain + port) the current request belongs to. Based on this value, the server decides whether to allow it to cross domains.
If the server allows cross-domains, you need to return the following information in the response header: Access-Control-allow-origin: Indicates an acceptable domain. It is a specific domain name or *, which stands for any domain.