- CORS Essentials
- Rajesh Gunasundaram Randall Goya
- 273字
- 2021-07-09 19:53:41
Commonly allowed cross-origin resource sharing
The same-origin policy is not required for many resources that may be embedded in cross-origin. The sharing of specific file types is limited by file type headers and ensuring that the file extensions and file meta data match the expected type.
DOM elements allowed for cross-origin sharing
The following information box displays scenarios where DOM elements are allowed for cross-origin sharing:
Note
Images with the <img> tag, as long as the file type matches expected image formats.
Media files with the <video> and <audio> tags as long as the file type matches expected media formats.
JavaScript with the <script src="..."></script> tag. This method is used by many third-party applications, which embed a script to act upon the local resources, for example, a social media sharing service that analyzes the shareable images and other assets on current page and reads the URI.
CSS with the <link rel="stylesheet" href="..."> tag. Cross-origin CSS requires a correct content-type header. Client.
Plugins with the <applet>, <object> and <embed> tags.
Fonts with @font-face. Support for this method varies by client browser.
Any content or URI loaded with the <frame> and <iframe> tags.
Allowing cross-origin sharing in WebSockets
The ability of WebSockets to bypass the same-origin policy is seen as a security risk. Using WebSockets on a gateway/server that supports origin-based security provides header-based security similar to CORS.
Limited cross-origin JavaScript API access
JavaScript APIs, such as iframe.contentWindow, window.parent, window.open, and window.opener, provide limited cross-origin access to the Window and Location objects. Some browsers permit access to more properties than the specification allows. You can use window.postMessage instead to communicate between documents in separate windows.
- 數據浪潮
- 計算機信息技術基礎實驗與習題
- Python數據分析、挖掘與可視化從入門到精通
- 新型數據庫系統:原理、架構與實踐
- Oracle RAC 11g實戰指南
- Learning Spring Boot
- 金融商業算法建模:基于Python和SAS
- 大數據架構商業之路:從業務需求到技術方案
- 重復數據刪除技術:面向大數據管理的縮減技術
- Mastering LOB Development for Silverlight 5:A Case Study in Action
- 大數據數學基礎(R語言描述)
- 一本書讀懂大數據
- 掌中寶:電腦綜合應用技巧
- 推薦系統全鏈路設計:原理解讀與業務實踐
- 數據庫原理及應用實驗:基于GaussDB的實現方法