Persistence is victory ------ only this record of knowledge points learned every day
2018-5-7 (Monday)
The sessionstorage.setItem(key, str) method sets the same key value, the latter will not overwrite the former, and the getItem('key') value is the addition of two strings
The reasons for cross-domain include (1. Browser restrictions (the front-end request sends and the back-end both return data, which is browser restrictions) 2. Not in the same local area network, such as different ports; 3. XmlHttpRequest requests (such as json requests do not will produce cross-domain))
Solving cross-domain can start from two aspects: 1. The server allows cross-domain; 2. The caller hides cross-domain requests
1. Add code that allows cross-domain on the server, such as adding the relevant code of the request header in the filter (response.setHeader() method,)
2. Browser settings allow cross-domain
3. No xhr request, such as jsonp (the disadvantage is only get request)
4. The intermediate server Nginx or apache configures the proxy request
5. Springboot annotation @CrossOrigin
There are two types of xss attacks: 1. Reflective type: tag in the request url parameter (style: affect style; script: add script event; Iframe: add window), the server returns wrong data after parsing, and the browser displays errors, such as Comment function; 2. Storage type (scripts, etc. are stored in databases, etc., sql)
Solution: encoding, filtering, correction. Encode the user's data in html Entity, add filtering during the transcoding process, remove dom events entered by the user, such as onerror onclick, remove tags: style, script, Iframe, if the default transcoding is used, the filtering code cannot be added .