This is the last How to get a big offer interview essay topic | technology, of the following questions and answer update ideas

1. Describe the format of HTTP request packets and response packets.

HTTP request packet

An HTTP request packet consists of four parts: request line, header, blank line, and request data. The following figure shows the general format of a request packet.

English:

< request-line > < blank line > < request-body >

1. The request header

The request line consists of the request method field, the URL field and the HTTP protocol version field, separated by Spaces. For example, GET /index.html HTTP/1.1.

HTTP request methods include GET, POST, HEAD, PUT, DELETE, OPTIONS, TRACE, and CONNECT.

2. Request headers

The request header consists of a keyword/value pair, one on each line, separated by colons (:). The request header notifies the server of information about the client request. A typical request header is:

User-agent: indicates the type of the browser that generates the request.

Accept: List of content types recognized by the client.

Host: specifies the requested Host name. Multiple domain names can reside at the same IP address, that is, a virtual Host.

3. A blank line

The last request header is followed by an empty line, and carriage return and newline characters are sent to inform the server that there are no more headers below.

4. Request data

Request data is not used in the GET method, but in the POST method. The POST method is suitable for situations where a customer needs to fill out a form. The most commonly used request headers associated with request data are content-Type and Content-Length.

The HTTP message

The HTTP response also consists of three parts: the status line, the message header, and the response body.

As shown below, the format of the HTTP response is very similar to the format of the request:

< blank line > < response-body >

As you can see, the only real difference in the response is that the request information is replaced with status information in the first line. The status line specifies the requested resource by providing a status code.

The status line format is as follows:

HTTP-Version Status-Code Reason-Phrase CRLF

Http-version indicates the HTTP Version of the server. Status-code Indicates the response Status Code sent by the server. Reason-phrase Indicates the text description of the status code. The status code consists of three digits, the first of which defines the category of the response and has five possible values.

  • 1XX: Indicating message – indicating that the request has been received and processing continues.
  • 2xx: Success: The request is successfully received, understood, or accepted.
  • 3xx: Redirect – Further action must be taken to complete the request.
  • 4XX: Client error – The request has a syntax error or the request cannot be implemented.
  • 5xx: Server side error — the server failed to fulfill a valid request.

The following describes common status codes and status descriptions.

  • 200 OK: The client request is successful.
  • 400 Bad Request: The client Request has syntax errors and cannot be understood by the server.
  • 401 Unauthorized: The request is not authorized. This status code must be used with the WWW-Authenticate header field.
  • 403 Forbidden: The server receives requests but refuses to provide services.
  • 404 Not Found: The requested resource does Not exist, for example: an incorrect URL was entered.
  • 500 Internal Server Error: An unexpected Error occurs on the Server.
  • 503 Server Unavailable: The Server is currently unable to process client requests and may recover after a period of time, for example, HTTP/1.1 200 OK (CRLF).

See the blog for details

2. Use three ways to achieve the vertical effect of the block box, assuming that the height of the box ADAPTS to the content

Transform and Flex are not supported by autoprefixer. If you want to use transform and Flex, please choose another way to use them. There are compatibility bugs in the X5 kernel and ios kernel (such as flex-wrap).

The first: Flex

The parent element sets the following properties display:flex; Flex-direction :row // Web default value, rn default column align-items:centerCopy the code

Second: Absolute

The parent element sets position:relative the parent element position:absolute; top:50%; transform:translateY(-50%);Copy the code

Third, use the display:table-cell attribute

display:table-cell;
vertical-alian:middle;Copy the code

. There are many

3. What does the HTTP status code 302 mean

Temporarily Moved. Used when a web page URL needs to be changed for a short time.

By the way, 301

301 Redirection/Redirect General: This page is permanently transferred to another address.

Permanently Moved. Permanently Moved. Permanently Moved: Permanently Moved to Permanently Moved: Permanently Moved to Permanently Moved

The difference between 301 and 302 redirects

301 redirects are permanent redirects. The search engine will also replace the old url with the redirected url while fetching new content.

302 redirects are temporary redirects where search engines grab new content and keep the old url. Because the server returns the 302 code, the search engine considers the new url to be temporary.

4. What is a cookie and what is the difference between it and session

1. Session on the server and cookie on the client (browser)

Session is stored in a file on the server by default (not in memory).

3. The running of the session depends on the session ID, which is stored in the cookie, that is, if browsing

Cookies are disabled and the session is invalidated (but this can be done in other ways, such as passing in a URL)

Session_id)

4. Session can be stored in file, database, or memory.

5. User authentication is generally used in this context

Therefore, the core of maintaining a session is the unique identifier of the client, namely the session ID

5. What DOM interfaces are available to get the dimensions (width and height) of an element

Assume that the element id is box

(if CSS declaration does not set hieght and width, then box-sizing will not return the GHT.)


    var box = document.getElementById('box');
    var w = box.style.width;
    var h = box.style.height;Copy the code

GetComputedStyle = ’em’; getComputedStyle = ’em’; getComputedStyle = ’em’;

    var style = window.getComputedStyle ? window.getComputedStyle(box,null) : null || box.currentStyle;
    var w = style.width;
    var h = style.height;Copy the code


3. OffsetHeight and offsetHeight

4. GetBoundingClientRect (IE67 left and top will be 2px less, and does not have width and height attributes, need to be compatible with this part of the browser. The DOMRect object contains a set of read-only attributes — left, top, right, and bottom — that describe the border, in pixels. All attributes except width and height are relative to the top-left position of the viewport

.

6. Describe the flow of a DOM event, from trigger to completion

The event flow consists of three phases: the event capture phase, the target phase, and the event bubbling phase. The first thing that happens is event capture,

Provides an opportunity to intercept events. Then the actual target receives the event. The last stage is the bubble stage, which can be right here

Phases respond to events. Clicking on the <div> element will look like this:

In the DOM event stream, the actual target (the <div> element) does not receive events during the capture phase. This means that during the capture phase,

The 12 event stops after document, < HTML >, and then <body>. The next stage is the “on target” stage, so

Events occur on <div> and are considered part of the bubbling phase in event handling (a concept discussed later). However,

After that, the bubbling phase occurs and the event propagates back to the document.

Most browsers that support DOM event streaming implement a specific behavior; Even though the “DOM2-level event” specification explicitly requires it

Event targets are not involved in the capture phase, but IE9, Safari, Chrome, Firefox, and Opera 9.5 and later are

The event on the event object is touched during the capture phase. As a result, there are two opportunities to manipulate events on the target object.

So that’s the elevation.

7. Describe the difference between UTF-8 and Unicode

  • Unicode is “character set”
  • Utf-8 is “Encoding rule”

Unicode is a complex character encoding standard that simply matches every so-called character used by humans to a non-negative integer and guarantees that different characters must correspond to different integers. Utf-8 is the encoding of this integer, representing an integer in 1 to 4 bytes.

Relationships: UTF-8 is one of the implementations of Unicode, which specifies how characters are stored, transferred, and so on in a computer.

8. Talk about optimization strategies you use for loading and interaction experiences in your daily Web development

1. Reduce the number of HTTP requests

This is a strategy that almost everyone knows, and it’s the most important and effective one. We all talk about reducing HTTP requests, but what happens when you have more? First, every request has a cost, including both time and resources. A complete request needs to go through a “long” and complex process of DNS addressing, establishing a connection with the server, sending data, waiting for the server to respond, and receiving data. The time cost is that the user needs to see or “feel” the resource and must wait for the end of the process. As each request of the resource needs to carry data, each request needs to occupy bandwidth.

In addition, because the browser concurrent requests the number of requests is limit, so the number of requests much later, the browser needs to carry on the request, so would increase the waiting time of the user, can cause slow site to users such an impression, even if the user may be able to see the resources of the first screen of the request has been finished, but the browser of the progress bar will always exist. The main ways to reduce the number of HTTP requests include:

(1). Simplify the page from the design implementation level

If your page is as simple as baidu’s home page, then the following rules are basically unnecessary. The most straightforward way to keep your page simple and reduce resource usage. If not, and your page needs a gorgeous skin, read on.

(2). Set HTTP cache properly

Caching is powerful, and proper caching Settings can greatly reduce HTTP requests. Taking the homepage of Youa as an example, when the browser has no cache, 78 requests will be sent, totaling more than 600 K data (see Figure 1.1). However, when the browser has cached the second visit, there will only be 10 requests, totaling more than 20 K data (see Figure 1.2). (It should be noted here that if you refresh the page directly with F5, the effect will be different. In this case, the number of requests will be the same, but the request server for cached resources is 304 response server, only Header without Body, which can save bandwidth.)

What is a reasonable setting? The principle is simple: the more you can cache, the longer you can cache, the better. For example, an image resource that rarely changes can be set to a long Expires Header directly through HTTP Header Expires; Resources that change infrequently and are subject to change can be used for request validation using last-modiFed. Keep resources in the cache as long as possible.

(3). Resource consolidation and compression

If possible, combine external scripts and styles into one. In addition, CSS, Javascript, Image can be compressed with appropriate tools, often can save a lot of space after compression.

(4). CSS Sprites

Combining CSS images is another great way to reduce the number of requests.

(5). Inline Images

Using the Data: URL scheme to embed images in a page or CSS is a great way to do this without worrying about resource management. The tradeoff for embedding a page is that it increases the size of the page and doesn’t take advantage of the browser cache. Images in CSS are more ideal.

(6). Lazy Load Images

This strategy does not actually reduce the number of HTTP requests, but it can reduce the number of HTTP requests under certain conditions or when the page is first loaded. For images, you can load only the first screen when the page is first loaded, and only load subsequent images when the user continues scrolling. This way, if the user is only interested in the content on the first screen, the rest of the image request will be saved. Yes, the home page used to cache the address of the image after the first screen in the Textarea tag when loading, waiting for the user to scroll down the “lazy” loading.

2. Set the external scripts to the bottom

Above have talked about, the browser can be concurrent requests, this characteristic makes it faster to load resources, outside the chain script when loading, however, will block the other resources, such as the script loaded before it at the back of the picture, style, and other scripts in the blocking state, until after script loading start to load. If the script is placed relatively early, it will affect the loading speed of the entire page and thus the user experience. There are many ways to solve this problem, but the simplest and most reliable approach is to move the script as far back as possible to reduce the impact on concurrent downloads.

3. Execute the inline script asynchronously

Inline scripts have an even greater impact on performance than external scripts. As with external scripts, inline scripts block concurrent requests when executed, but because browsers are single-threaded in terms of page processing, rendering of the page is delayed when inline scripts are executed before rendering. In short, when an inline script is executed, the page is blank. For these reasons, it is recommended that inline scripts with long execution times be executed asynchronously. This can be done in a variety of ways, such as using the defer ownership of script elements (compatibility issues and other issues such as not using Document.write), using setTimeout, and in addition, The introduction of Web Workers in HTML5 can solve this kind of problem.

4. Lazy Load Javascript

With the popularity of Javascript frameworks, more and more sites are using frameworks. However, a framework often includes a lot of functionality that is not needed on every page, and downloading scripts that are not needed is a waste of resources – wasted bandwidth and execution time. There are currently two approaches, one is to customize a dedicated mini version of the framework for those pages that have a lot of traffic, and the other is Lazy Load. YUI uses the second approach. In the implementation of YUI, only the core modules are loaded initially, and other modules can wait until they are needed.

5. Place the CSS in the HEAD

If you place your CSS somewhere else, such as in the BODY, the browser may start rendering the page before it has been downloaded and parsed into the CSS, which can lead to a CSS state that will make the user experience worse. In addition, some browsers will render the page after the CSS has been downloaded, which will cause the browser to render later if the CSS is placed lower down.

6. Reduce unnecessary HTTP hops

For HTTP links that are accessed as directories, many people ignore whether or not the link ends with a ‘/’. If your server treats this differently, you should also be aware that this may hide a 301 redirect and add extra requests. See the figure below, where the first link is accessed without a ‘/’ ending and the server has a jump.

7. Avoid duplicate resource requests

This is mainly due to carelessness or the fact that a page is spliced together by multiple modules, and then the same resource is requested in each module, resulting in repeated requests for resources. The probability of occurrence is small, but still need to pay attention to the investigation.

.

9. What are CSRF attacks and how can they be prevented

CSRF fully Cross Site Request Forgery. CSRF is an attack that traps a user for performing unintended actions on a logged in Web application. In contrast to XSS, CSRF exploits the system’s trust in the page browser, while XSS exploits the system’s trust in the user.

Defending against CSRF attacks:

At present, there are three main defense strategies against CSRF attacks: verifying HTTP Referer field; Add token to request address and verify; Customize and validate properties in HTTP headers.

(1) Verify the HTTP Referer field

According to the HTTP protocol, there is a field in the HTTP header called Referer that records the source address of the HTTP request. Under normal circumstances, the limited access to a secure page requests from the same site, such as the need to visit http://bank.example/withdraw? Account = Bob&Amount =1000000&for=Mallory, the user must first log in to bank.Example and then trigger the transfer event by clicking the button on the page. In this case, the Referer value of the transfer request will be the URL of the page where the transfer button is located, usually starting with the bank.example domain name. If a hacker wants to carry out A CSRF attack on a bank’s website, he can only construct a request on his own website. When a user sends a request to the bank through the hacker’s website, the Referer of the request is directed to the hacker’s own website. Therefore, to defend against CSRF attacks, bank websites only need to verify the Referer value of each transfer request. If the domain name starts with bank.example, it indicates that the request is from the bank website itself and is legitimate. If the Referer is any other site, it could be a CSRF attack by a hacker to reject the request.

The obvious benefit of this approach is that it is so simple that the average developer of a site doesn’t have to worry about CSRF vulnerabilities, just adding a single interceptor to all security-sensitive requests at the end to check the Referer value. Especially for the current existing system, there is no need to change any existing code and logic of the current system, no risk, very convenient.

However, this approach is not foolproof. The value of the Referer is provided by the browser. Although there are clear requirements on the HTTP protocol, the specific implementation of the Referer by each browser may be different, and there is no guarantee that the browser itself is free of security vulnerabilities. The method of verifying the Referer value relies on the security of a third party (i.e. the browser), which in theory is not secure. In fact, for some browsers, such as IE6 or FF2, there are already ways to tamper with the Referer value. If the bank.example site supports Internet Explorer 6, the hacker could have set the Referer value of the user’s browser to an address that starts with the bank.example domain name, so that it can be verified and CSRF attacks can be carried out.

Even with the latest browsers, hackers can’t tamper with the Referer value, which is problematic. Because Referer records the source of the user’s access, some users feel that this will violate their privacy, especially some organizations concerned that the Referer value will leak some information from their internal network to the external network. Therefore, users themselves can set the browser to no longer provide Referer when sending requests. When they visit the bank’s website normally, the website will consider the request as a CSRF attack because it does not have the Referer value and deny the access to legitimate users.

(2) Add token to request address and verify

The reason why CSRF attack can be successful is that the hacker can completely forge the user’s request, and all the user authentication information in the request is in the cookie, so the hacker can directly use the user’s own cookie to pass the security authentication without knowing the authentication information. The key to defending against CSRF is to put information in the request that a hacker cannot forge and that does not exist in a cookie. A randomly generated token can be added to the HTTP request as a parameter, and an interceptor can be established on the server side to verify the token. If there is no token in the request or the token content is incorrect, the request may be rejected as a CSRF attack.

This is more secure than checking the Referer. Tokens can be generated after the user logs in and placed in the session, and then taken out of the session on each request and compared with the tokens in the request. The difficulty with this approach, however, is how to add tokens to the request as parameters. For GET requests, the token is appended to the request address so that the URL becomes http://url? Csrftoken = tokenvalue. For POST requests, add <input type= “hidden” name= “csrFToken” value= “tokenValue” /> at the end of the form to add the token as a parameter to the request. However, in a website, there are so many places to accept requests that adding a token to each request is cumbersome and easy to miss. The usual method is to traverse the dom tree with javascript every time the page loads. Add the token after all a and FORM tags in the DOM. This solves most requests, but for HTML code that is generated dynamically after the page loads, this approach does not work and requires the programmer to manually add tokens at coding time.

Another disadvantage of this approach is that it is difficult to guarantee the security of tokens themselves. Especially in some forums and other websites that support users to publish their own content, hackers can publish their own personal website address. Since the system also adds a token to the address, the hacker can get the token on his own website and launch a CSRF attack right away. In order to avoid this, the system can add a judgment when adding the token, if the link is linked to their own site, add the token later, if it is to the Internet, do not add. However, even if the CSRFtoken is not attached to the request as a parameter, a hacker’s site can also obtain the token value via the Referer to launch a CSRF attack. This is why some users prefer to turn off the browser Referer manually.

(3) Customize attributes in HTTP headers and validate them

This method also uses the token and validates it. Unlike the previous method, instead of placing the token in the HTTP request as a parameter, it places it in a custom attribute in the HTTP header. With the XMLHttpRequest class, you can add the CSRFToken HTTP header attribute and put the token value into all of the class requests at once. This eliminates the inconvenience of adding the token to the request in the previous method, and the XMLHttpRequest address is not logged in the browser’s address bar, and the token is not leaked to other sites through the Referer.

However, this approach has significant limitations. XMLHttpRequest is usually used for asynchronous partial page refresh in Ajax methods. Not all requests are suitable to be initiated with this class, and the page obtained through this class cannot be recorded by the browser, thus making it inconvenient for users to move forward, backward, refresh, and save. In addition, for legacy systems without CSRF protection, this approach to protection requires that all requests be converted to XMLHttpRequest requests, which is almost an entire web site rewrite, an unacceptable cost.

10. What are the functions and differences between the script tag to defer and the async attribute

Async property, which indicates that the loading and rendering of subsequent documents and the loading and execution of JS scripts are carried out in parallel, i.e. asynchronously.

The defer attribute, the loading of the subsequent document and the loading of the JS script (which is now only loaded but not executed) are parallel (asynchronous), and the execution of the JS script needs to wait until all elements of the document have been parsed and before the DOMContentLoaded event is triggered.

The difference between

1. Defer and Async are the same in the network loading process and are both executed asynchronously;

2. The difference between the two is when to execute the script after loading. Defer is more in line with the requirements for script loading and execution in most scenarios.

3. If there are multiple scripts with the defer attribute, they execute them in the order they were loaded; With async, the loading and execution are side by side, regardless of the order of declaration, as soon as the loading is complete. It is not very useful for application scripts because it does not consider dependencies at all.