Original link: http://ponder.work/2023/08/15/cross-domain-things/
- What is cross domain?
- What is the definition of domain?
- The domain here is the source in the same-origin policy.
- Two URLs are of the same origin if their protocol, port, and host are the same.
- Why restrict cross-origin requests?
- Leaking target domain information
- For example, the high imitation Taobao site induces login and obtains user passwords.
- js directly reads the sessionid and cookie of the target domain of the browser
- CSRF, such as the src of the img tag will be accessed
- Leaking current domain information
- XSS cross-site scripting (Cross-site scripting) injection, resulting in user information leakage in the current domain
- Generally, it accepts the input constructed by the user. The input contains malicious script content. The content is not escaped, and it is output on the page to be executed.
- XSS cross-site scripting (Cross-site scripting) injection, resulting in user information leakage in the current domain
- Leaking target domain information
- How to restrict cross-domain? browser’s same-origin policy
- forbidden
- DOM same-origin policy: DOMs of different origins cannot interoperate with each other, in the case of multiple iframes
- XMLHttpRequest same-origin policy: Prohibit requesting different source urls
- Same-origin policy for stored content such as Cookie, LocalStorage, IndexedDB
- Allowed
- Links in pages, redirects and form submissions
-
<script>、<img>、<link>
tags containing src attributes can load cross-origin resources. (only GET)
- forbidden
- What are the inconveniences caused by restricting cross-domain?
- When the front-end and back-end are developed separately, localhost cannot normally access the back-end resources
- Some public APIs cannot be accessed
- The http static resource of the https page cannot be loaded
-
How to bypass same-origin policy?
- Browser startup parameters (operated on the client side)
- Reverse proxy (operating in the current domain)
- JSONP (operates on target domain)
- Using
<script>
to allow cross-domain features, set the src of the label as the target domain, and dynamically generate the required javascript content
- Using
- Cross-Origin Resource Sharing (CORS) (Target Domain Operations)
- Set the corresponding response header
1
2
3
4Access-Control-Allow- Origin: https: //foo.example // allowed origin domain
Access-Control-Allow- Methods: POST, GET, OPTIONS // Allowed request methods
Access-Control-Allow- Headers: X-PINGOTHER, Content-Type // Allowed request headers
Access-Control-Max- Age: 86400
- Set the corresponding response header
-
refer to
This article is transferred from: http://ponder.work/2023/08/15/cross-domain-things/
This site is only for collection, and the copyright belongs to the original author.