Home > Web Front-end > JS Tutorial > js origin policy: a complete security restriction for operating web content

js origin policy: a complete security restriction for operating web content

php是最好的语言
Release: 2018-08-03 10:33:11
Original
2463 people have browsed it

Same origin policy

Same origin is a complete security restriction for js to operate on those web contents. It will come into play when the web page opens other browser windows or uses iframes.
That is, the script can only read the properties of windows and documents that have the same source as the document to which they belong.
The source of the document includes the protocol, host, and url port for loading the document. Documents loaded from different web servers have different origins, and documents loaded from different ports on the same host also have different origins. Those using http and https are also from different sources because the protocols are different.
That is, the protocol, host, and url port for loading the document must be completely the same as the document to allow the script to read the file content.
But it has nothing to do with the source of the script itself.
Example
Script a is included in a document bb from host b, that is, script a can access all the contents of document bb.
Script a opens another cc document from host c. Due to different sources, script a cannot access the content of document cc. But if script a opens a document bbb from host b, then script a can access document bbb (at this time, under two different windows, access can also be achieved)
If the script opens a window, the script It can also be closed, but the inside of the window cannot be viewed in any way.

Lose origin policy

Use web server for chrome locally to start the service. Modify the host file, parse home.abc.com and abc.com to access these two domain names
, http://home.abc.com:8887/ and http://abc.com:8887/ both come from The same host 127.0.0.1
This completes the construction of the simplest local server

Set document.domain

> document.domain
"home.abc.com"
Copy after login

Only allow requests for websites originating from home.abc.com.
Settings

> document.domain = "abc.com";
"abc.com"
Copy after login

This sets up a same origin, and treats requests from

*.abc.com
Copy after login

as all origins.

Set the same document.domain

Set the same document.domain. If the two values ​​​​are the same, the scripts can access each other. Will not be bound by same origin.

Cross-domain resource sharing

Use Origin to extend http to ensure resource sharing

https://developer.mozilla.org...

Explicit to list all sources. According to the value of Origin, sources are listed to avoid cross-source messages again

Cross-document messages

Use the postMessage() method to asynchronously deliver message events

Scripted plug-ins and ActiveX controls

In web browsers, js is used as the scripting engine for many software and plug-ins.
ActiveX is widely used in online banking, ╮(╯▽╰)╭
is a very old technology. . 3721. (⊙o⊙)

What js can’t do

Client js does not have permission to write or delete any files or list any directories on the client computer. That is, js programs cannot delete data or implant viruses.
The client's js does not have any general network capabilities. The client's js program can program the http protocol, and there is a socket API for specifying server communication, but it cannot carry out wider and wider networks. access.

Related articles:

Explanation of knowledge points about the same-origin policy and csrf security policy

detailed explanation of the js same-origin policy

Related videos:

JavaScript Basics Video Tutorial

The above is the detailed content of js origin policy: a complete security restriction for operating web content. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template