First, what is cross-domain?

The same-origin policy

The same origin policy is an important security policy that restricts how an Origin document, or the scripts it loads, can interact with resources from another source. It can help block malicious documents and reduce the number of vectors that can be attacked.

The same sample

So what is homology? Let’s take a look at the components of the URL, okay?

www.example.com:80/path/to/myf…

Protocol (protocol
Domain name
Port (port)

Correct example: www.example.com:80/a.js www.example.com:80/b.js Belong to the same protocol, domain name, and port.

Error example: www.example.com:8080 www.example.com:80 None of the three are the same.

Ii. How to solve cross-domain problems?

1.CORS

CORS(Cross-domain resource Sharing): A mechanism that uses additional HTTP headers to tell browsers that the Web running on (domain) can be allowed to access specified resources on different resource servers. There are simple and non-simple requests in CORS.

  • Simple requests do not trigger CORS precheck requests. Such requests are called “simple requests”.
  1. Case 1: Use the following methods to request: GET, POST, HEAD
  2. Case 2: Request headers outside the following sets are set artificially: Accept, Accept-language, Content-Language, Content-Type, and DPR.
  3. Case 3: Content-Type values are limited to text/plain, multipart/form-data, Application/X-www-form-urlencoded.
  4. Case 4: None of the XMLHttpRequestUpload objects in the request are registered with any event listeners
  5. No ReadableStream object is used in the request.
  • Non – simple requests except the above.
  • Solution in Node
  1. A native way
app.use(async (ctx, next) => {
  ctx.set("Access-Control-Allow-Origin", ctx.headers.origin);
  ctx.set("Access-Control-Allow-Credentials".true);
  ctx.set("Access-Control-Request-Method"."PUT,POST,GET,DELETE,OPTIONS");
  ctx.set(
    "Access-Control-Allow-Headers"."Origin, X-Requested-With, Content-Type, Accept, cc"
  );
  if (ctx.method === "OPTIONS") {
    ctx.status = 204;
    return;
  }
  await next();
});
Copy the code
  1. Third-party middleware
const cors = require("koa-cors");
app.use(cors());
Copy the code
  • The cookie problem in CORS must satisfy three conditions simultaneously
  1. Set withCredentials for Web requests. By default, browsers do not have cookies when making cross-domain requests. However, we can pass cookies by setting withCredentials.
Var XHR = new XMLHttpRequest(); xhr.withCredentials =true; / / axios set mode axios. Defaults. WithCredentials =true;
Copy the code
  1. Access – Control – Allow – Credentials to true
  2. Access – Control – Allow – Origin to a *
  • Avoid duplicate options requests access-control-max-age :(number) the value represents how long, in seconds, the results of (precheck requests) can be cached.

2.Node forward proxy

The idea of the proxy is to make the interface and the current site co-domain by taking advantage of the fact that server requests are not cross-domain.

  • Webpack (4.x) Proxy can be configured in Webpack to quickly obtain the capabilities of the interface proxy.
  devServer: {
    port: 8000,
    proxy: {
      "/api": {
        target: "http://localhost:8080"}}}Copy the code

How it works: devServer started with Express, using http-proxy-middleware socket, rewrite, etc.

  • Charles uses Charles to cross domains, essentially intercepting and brokering requests. , set the proxy in tools/ Map remote

3.Nginx reverse proxy

Cross-domain can be carried out through the way of reverse proxy, the front end through the Nginx proxy to the back-end interface.

  1. Hosts: 127.0.0.1 local.test
  2. Configure nginx
server { listen 80; server_name local.test; location /api { proxy_pass http://localhost:8080; } location / { proxy_pass http://localhost:8000; }}Copy the code
  1. Nginx: sudo nginx -s reload
<script>
  axios.defaults.withCredentials = true;
  getlist.onclick = () => {
    axios.get("/api/corslist").then(res => {
      console.log(res.data);
    });
  };
  login.onclick = () => {
    axios.post("/api/login");
  };
</script>
Copy the code

Back-end code:

router.get("/api/corslist", async ctx => {
  ctx.body = {
    data: [{ name: Notes on the Autumn Wind}}; }); router.post("/api/login", async ctx => {
  ctx.cookies.set("token", token, {
    expires: new Date(+new Date() + 1000 * 60 * 60 * 24 * 7)
  });
  ctx.body = {
    msg: "Success",
    code: 0
  };
});
Copy the code

Effect access local.test/ Charles

4.JSONP

JSONP takes advantage of the fact that script tags have no cross-domain constraints. Use restrictions only supports the GET method. If you want to use the full REST interface, use CORS or another proxy method for process resolution.

  1. The front end defines parsing functions (for example, jsonpCallback=function(){…. })
  2. Wrap request parameters in params form and declare execution functions (such as cb=jsonpCallback)
  3. The back end takes the execution function declared by the front end (jsonpCallback) and passes it to the front end by taking arguments and calling the execution function. Example in Use backend implementation:
const Koa = require("koa");
const fs = require("fs");
const app = new Koa();

app.use(async (ctx, next) => {
 if (ctx.path === "/api/jsonp") {
   const { cb, msg } = ctx.query;
   ctx.body = `${cb}(${JSON.stringify({ msg }`)});return; }}); app.listen(8080);Copy the code

Plain JS example

<script type="text/javascript">
 window.jsonpCallback = function(res) {
   console.log(res);
 };
</script>
<script
 src="http://localhost:8080/api/jsonp? msg=hello&cb=jsonpCallback"
 type="text/javascript"
></script>
Copy the code

“Principle analysis” 1, the most basic JS call

<script>
 window.jsonpCallback = function(res) {
   console.log(res);
 };
</script>
<script>
 jsonpCallback({ a: 1 });
</script>
Copy the code

2. SRC in script to externalize js code

<script>
 window.jsonpCallback = function(res) {
   console.log(res);
 };
</script>
<script src="http://localhost:8080/api/a.js"></script>
Copy the code

3, finally with the back-end interface for joint tuning, in fact, is a JS function ‘ ‘

// http://localhost:8080/api/a.js jsonpCallback({a:123}); ` ` `

5.Websocket

The WebSocket specification defines an API for establishing a “socket” connection between a web browser and a server. Simply put: There is a persistent connection between the client and the server, and both can start sending data at any time. This approach essentially does not use HTTP, so there are no cross-domain restrictions. The front part

<script>
  let socket = new WebSocket("ws://localhost:8080");
  socket.onopen = function() {
    socket.send(Notes on the Autumn Wind);
  };
  socket.onmessage = function(e) {
    console.log(e.data);
  };
</script>
Copy the code

The backend part

const WebSocket = require("ws");
const server = new WebSocket.Server({ port: 8080 });
server.on("connection".function(socket) {
  socket.on("message".function(data) {
    socket.send(data);
  });
});
Copy the code

6.window.postMessage

The “window.postmessage ()” method can safely implement cross-source communication.

7.document.domain + Iframe

This mode can be used only when the secondary domain names are the same. For example, a.test.com and b.test.com are used in this mode. Just add document.domain =’test.com’ to the page to indicate that the secondary domain is the same.

Www.bidu.com. Tertiary domain Secondary domain Top-level domain root domainCopy the code
// a.test.com
<body>
  helloa
  <iframe
    src="http://b.test.com/b.html"
    frameborder="0"
    onload="load()"
    id="frame"
  ></iframe>
  <script>
    document.domain = "test.com";
    function load() {
      console.log(frame.contentWindow.a);
    }
  </script>
</body>
Copy the code
// b.test.com
<body>
  hellob
  <script>
    document.domain = "test.com";
    var a = 100;
  </script>
</body>
Copy the code

8.window.location.hash + Iframe

The implementation principle is to pass data through a non-cross-domain intermediate page with a HASH url. The implementation process

// a.html
<iframe src="http://localhost:8080/hash/c.html#name1"></iframe>
<script>
  console.log(location.hash);
  window.onhashchange = function() {
    console.log(location.hash);
  };
</script>
Copy the code
// c.html
<body></body>
<script>
  console.log(location.hash);
  const iframe = document.createElement("iframe");
  iframe.src = "http://localhost:8000/hash/b.html#name2";
  document.body.appendChild(iframe);
</script>

Copy the code
// b.html
<script>
  window.parent.parent.location.hash = location.hash;
</script>
Copy the code

9.window.name + Iframe

Third, why cross-domain?

1. Limit requests from different sources and limit attackers to steal request data. 2. Limit DOM operations and limit phishing sites. Manipulating DOM nodes