官术网_书友最值得收藏!

  • CORS Essentials
  • Rajesh Gunasundaram Randall Goya
  • 209字
  • 2021-07-09 19:53:41

The same-origin policy

Sooner or later, web developers run up against the same-origin policy. Maybe you want to trigger a script on one domain and use the results on a different domain, but you can't.

The same-origin policy is necessary for web application security. The execution of a script may expose sensitive information. Access to this information is limited to the same domain where the script is located, unless access for an external domain has been specifically allowed by code.

Note

The same-origin policy is defined by the Internet Engineering Task Force (IETF) (https://tools.ietf.org/html/rfc6454#page-4).

A major motivation for implementing the same-origin policy is to protect sensitive information stored in cookies from being exposed to another domain. Web applications maintain authenticated user sessions in cookies. The user's personalizations and account information are stored in cookies. To ensure data confidentiality, cookies may not be shared across domains. For cookies, the same origin is shared by the domain or a sub-domain of that domain. For DOM elements such as scripts, the restrictions are more fine-grained.

The same-origin policy also applies to requests made with XMLHttpRequest (XHR). We will see how the Access-Control-Allow-Origin header facilitates the bending of the same-origin policy.

Notably, JSON-P, WebSocket, and window.postMessage are not restricted by the same-origin policy.

主站蜘蛛池模板: 分宜县| 连州市| 姜堰市| 安阳县| 镇宁| 广元市| 始兴县| 洞头县| 平果县| 教育| 义马市| 兴海县| 禹州市| 古丈县| 墨竹工卡县| 神农架林区| 金川县| 巴马| 卢氏县| 蒲江县| 武山县| 太仆寺旗| 电白县| 辰溪县| 厦门市| 佛山市| 安庆市| 长乐市| 星子县| 木兰县| 芜湖县| 濮阳县| 固安县| 辽阳市| 通河县| 囊谦县| 柳州市| 嘉禾县| 牡丹江市| 松江区| 宿州市|