This is the 13th day of my participation in Gwen Challenge

What is the same origin policy?

The same origin policy is a security feature of the browser that prevents access to data from different sources. So ajax accessing 51VV.com data under lilnong.top will report an error. (Network can see response, proving that the restriction is browser limited)

Of course, there are exceptions

These items are equivalent to switching the script tag SRC, link tag href, img tag SRC, iframe tag SRC. The above resources can be referenced, but the content cannot be retrieved.

Img can be displayed, but you can’t put it into canvas for second use, it will pollute the canvas source. Iframe can display, can’t get DOM script can’t get error code location.

Definition of homology

The port, domain name, and protocol are the same. forwww.a.com/static this address comes to…

Why the same origin policy

Security issues

Example 1: Ordinary Internet users do not remember domain names and other content. If I in my own page, nested a and enlarge him, and taobao exactly the same? And there will be taobao status information. At this time, we can obtain the user’s password, create orders for users, cancel users’ accounts and other hazardous operations. Example 2: The leader asked for Tencent news. Ok, so let’s zoom in adaptive. At this point, we can add small ads and intercept some user actions. Every minute costs nothing. Got a Tencent news.

Data attribution problem

You all know about crawlers. I remember the headlines I saw in Sifu a few days ago (” Dining Friends “APP was sentenced to pay 2.1 million yuan for grabbing weibo data without permission). If there is no same-origin policy, rice friends directly ajax pull microblog data. Maybe you could say referer validation, and you can get around that if the browser doesn’t have the same origin policy. What the weibo side sees is a normal weibo user, a normal IP, accessing their interface. What about reptiles? Crawlers are actively triggered operations where they use their IP to impersonate a legitimate user to grab data.

conclusion

The same origin policy is good and protects against most attacks. But reasonable is reasonable, some special cases we also need to bypass this strategy.