First, the cross-domain is due to the browser’s “same-origin policy,” which has nothing to do with the server. Sites between different sources because of the “same origin policy” :

  1. Unable to access data stored in the browser, for examplelocalStorage. IndexedDB.Cookie
  2. DOM is not available
  3. The Ajax request cannot be sent

Communication between different source sites can be done in the following ways:

  1. By setting the samedocument.domainCan be Sharedcookie, can also be used to get each other in the parent-child windowDom
  2. throughwindow.onhashchangeShared hash values for parent-child Windows only (inline iframe)
  3. throughpostmessage

As for Ajax requests, the browser will first check whether the request path is homology with the current page, and the homology will be sent directly, and different sources will be held first, and an Origin attribute will be added to the header of the request to send a “Pre-Check Request”. After receiving the request, the server will return the result according to its own configuration

  1. Access-Control-Allow-Origin: A list of domain names allowed across domains
  2. Access-Control-Allow-Methods: Request mode that allows crossing
  3. Access-Control-Allow-Headers: Allows cross-domainHeaderThe list of
  4. Access-Control-Expose-Headers: Allow exposure toJavaScriptThe code ofHeaderThe list of
  5. Access-Control-Max-Age: Maximum browser cache time, ins

According to the returned data, the browser will send a formal request if it meets the conditions, and refuse to send the request if it does not.

That’s what CORS is, but CORS doesn’t send a precheck request when it’s a simple request