- CORS Essentials
- Rajesh Gunasundaram Randall Goya
- 209字
- 2021-07-09 19:53:41
The same-origin policy
Sooner or later, web developers run up against the same-origin policy. Maybe you want to trigger a script on one domain and use the results on a different domain, but you can't.
The same-origin policy is necessary for web application security. The execution of a script may expose sensitive information. Access to this information is limited to the same domain where the script is located, unless access for an external domain has been specifically allowed by code.
Note
The same-origin policy is defined by the Internet Engineering Task Force (IETF) (https://tools.ietf.org/html/rfc6454#page-4).
A major motivation for implementing the same-origin policy is to protect sensitive information stored in cookies from being exposed to another domain. Web applications maintain authenticated user sessions in cookies. The user's personalizations and account information are stored in cookies. To ensure data confidentiality, cookies may not be shared across domains. For cookies, the same origin is shared by the domain or a sub-domain of that domain. For DOM elements such as scripts, the restrictions are more fine-grained.
The same-origin policy also applies to requests made with XMLHttpRequest (XHR). We will see how the Access-Control-Allow-Origin header facilitates the bending of the same-origin policy.
Notably, JSON-P, WebSocket, and window.postMessage are not restricted by the same-origin policy.
- 數據產品經理高效學習手冊:產品設計、技術常識與機器學習
- 輕松學大數據挖掘:算法、場景與數據產品
- Python數據分析、挖掘與可視化從入門到精通
- Learn Unity ML-Agents:Fundamentals of Unity Machine Learning
- 達夢數據庫性能優化
- 大數據Hadoop 3.X分布式處理實戰
- 中國數字流域
- 數字媒體交互設計(初級):Web產品交互設計方法與案例
- The Game Jam Survival Guide
- ZeroMQ
- 金融商業算法建模:基于Python和SAS
- 信息學競賽寶典:數據結構基礎
- Python數據分析與挖掘實戰(第3版)
- 數字IC設計入門(微課視頻版)
- R Machine Learning Essentials