This is the sixth day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021
Hey guys, I’m a river’s lake budu I, front dishes chicken, react beginners.
🌲🌲 begins by asking two questions: 1. At what stage does the browser block a cross-domain request? 2. Why do we add authentication fields such as token to our interface? Are there other reasons besides the business scenario?
The reason for cross-domain is that the browser’s same-origin policy (protocol + domain + port) has at least one difference. Of course, browsers also support us to make cross-domain requests through legitimate means, commonly used methods are image detection, JSONP, CORS, Nginx, middleware and so on. (Actually I was going to write about the principles of image detection and JSOPN cross-domain as well as some caution classes, which say “realize a problem and then run off 💦”) we will talk about these cross-domain principles and caution next time. 😄
Nonsense, let’s take a look at the above two problems: 🍬 🍬 🍬 🍬 🍬 🍬 🍬 🍬 when we ask for cross domain, the browser which stage to prevent the request? I believe you all know the answer to the first question, that is, even if our request is cross-domain, the request can reach the server, and the server can respond normally, but the browser intercepts the response before it reaches the client. Here’s a little validation:
The server starts a service using egg at HTTP: // 127.0.0.1:7001
The client sends the request using fetch:
Request result console output: show cross-domain
Here we look at the server output:
As you can see, although the request is cross-domain, the server still receives our request and responds to it.
So this also confirms what we’re saying:Even if our request is cross-domain, the request can reach the server, and the server can respond normally, but the browser intercepts the response before it can reach the client.
We then look at the second question: 🍬 🍬 🍬 🍬 🍬 🍬 🍬 🍬 why we interface to add token authentication, such as the field? Are there other reasons besides the business scenario? I don’t know the big guy who saw the first question, what do you think when you see this question? Especially when we see that the cross-domain request that we’re sending can be received by the server and can be responded to, right? For example: if we submit a cross-domain request that modifies the database, is the database modified? (The reason for this is that many small and medium sized companies now have backends that allow all sources of requests for convenience.) Therefore, a conclusion can be drawn that the interface needs to add authentication fields such as token, partly because of business needs, recording user information, etc., and partly to prevent the backend configuration, which can modify the database in other places. (Special case, haha)
Finally, back to our topic: What can blocked cross-domain requests do? Two problems understand down, even if the request is blocked in addition to the access to the database things, still can do a lot of things, modify the database content such as to give you the holiday balance adjustment into unlimited days, ha ha 😄
This is the end of the article, thank you for watching, the reason for writing this article is because I was thinking about when cross-domain is blocked, suddenly thought that since the request can reach the server, the server can not do what I want, a little bit of fantasy, ha ha, laugh.
Finally, I wish you study and progress, a successful career! 🎆 🎆 🎆