The same-origin policy

To protect user information security and prevent malicious websites from stealing user data, the browser restricts scripts in the local domain to access only resources in the local domain. This is the same origin policy.

Definition of homology

If the protocol, host, and port values of two urls are the same, they belong to the same domain.

The source of inheritance

Scripts executed on a page with an about:blank or javascript: URL inherit the source of the document that opens that URL, because these types of urls do not contain information about the source server.

Source changes

You can change the source of the current page by setting document.domain to be the current domain or the parent of the current domain. Because setting document.domain causes port to be reset to NULL, when modifying the source in this way, you need to set document.domain to the same value in the parent and child domains, otherwise you will fail same-origin detection due to different ports.

Cross domain

Requesting resources from a domain that is not the same origin as the current domain is cross-domain.

Cross-domain solutions

  • JSONP
  • CORS
  • Drop the domain
  • postMessage