Analysis of browser cross domain problem

Time:2020-11-25

The same origin strategy of browser:The agreement is the sameSame domain nameThe ports are the same。 All browser vendors follow this strategy.

There are three kinds of behavior limitation in non homologous (cross domain)

  1. Cookies, localstorage, and indexdb cannot be obtained
  2. DOM cannot be obtained
  3. Atax request cannot be sent

This homology can effectively prevent CSRF (cross site request) attacks.

There are two types of browser requests: (CORS requests)

  1. Simple requestAs long as two of the following methods are satisfied, it is regarded as simple
  • The request methods are get, post and head
  • The HTTP request header should not exceed the following fields: accept, accept language, last event ID, content language, content type
  • No event reflector is registered for any XHR object in the request
  • XHR objects can be used XHR.upload The readablestream object is not used in the request

For a simple request, the browser will send the request directly, and the server will return the response to the browser, and carry the relevant information in the response body for the browser to determine whether cross site

  2. Non simple request

For example, put, delete, content-type: application / JSON

Before formal communication, non simple requests will send a pre check request to the server by using the options method. The browser will first ask the server whether the domain name of the current web page is in the server’s permission list, and which HTTP methods and header information fields can be used. Only when a positive reply is received, will the browser send a formal XHR request, otherwise an error will be reported.

 

Cross domain approach

  1. Ajax requests cross domain

The browser and server negotiate the processing according to the HTTP header field or the related fields at the beginning of access control

  2.Jsonp cross domain

Tags such as script or img can be loaded across domains, and browsers load these tags through get method (for some important requests, business can’t submit data using get method, but post method must be used, so cross domain request can’t be made by jsonp)

  3. Server forwarding