things that cross domains

Original link: http://ponder.work/2023/08/15/cross-domain-things/

  • What is cross domain?
    • That is, the current domain accesses resources in non-local domains. For http, url represents a resource, that is, a url that is not in this domain is accessed.
  • What is the definition of domain?
    • The domain here is the source in the same-origin policy.
    • Two URLs are of the same origin if their protocol, port, and host are the same.
  • Why restrict cross-origin requests?
    • Leaking target domain information
      • For example, the high imitation Taobao site induces login and obtains user passwords.
      • js directly reads the sessionid and cookie of the target domain of the browser
      • CSRF, such as the src of the img tag will be accessed
    • Leaking current domain information
      • XSS cross-site scripting (Cross-site scripting) injection, resulting in user information leakage in the current domain
        • Generally, it accepts the input constructed by the user. The input contains malicious script content. The content is not escaped, and it is output on the page to be executed.
  • How to restrict cross-domain? browser’s same-origin policy
    • forbidden
      • DOM same-origin policy: DOMs of different origins cannot interoperate with each other, in the case of multiple iframes
      • XMLHttpRequest same-origin policy: Prohibit requesting different source urls
      • Same-origin policy for stored content such as Cookie, LocalStorage, IndexedDB
    • Allowed
      • Links in pages, redirects and form submissions
      • <script>、<img>、<link> tags containing src attributes can load cross-origin resources. (only GET)
  • What are the inconveniences caused by restricting cross-domain?
    • When the front-end and back-end are developed separately, localhost cannot normally access the back-end resources
    • Some public APIs cannot be accessed
    • The http static resource of the https page cannot be loaded
  • How to bypass same-origin policy?

    • Browser startup parameters (operated on the client side)
    • Reverse proxy (operating in the current domain)
    • JSONP (operates on target domain)
      • Using <script> to allow cross-domain features, set the src of the label as the target domain, and dynamically generate the required javascript content
    • Cross-Origin Resource Sharing (CORS) (Target Domain Operations)
      • Set the corresponding response header
         1
        2
        3
        4
         Access-Control-Allow- Origin: https: //foo.example // allowed origin domain
        Access-Control-Allow- Methods: POST, GET, OPTIONS // Allowed request methods
        Access-Control-Allow- Headers: X-PINGOTHER, Content-Type // Allowed request headers
        Access-Control-Max- Age: 86400
  • refer to

This article is transferred from: http://ponder.work/2023/08/15/cross-domain-things/
This site is only for collection, and the copyright belongs to the original author.