Unraveling
Why is there a cross-domain problem?
Browser based on the same origin policy restrictions made.
What homologous strategy?
Origin policy restrictions from the same source document or script loaded how to interact with resources from another source. This is a potentially malicious file is used to isolate the important security mechanisms .
The same source is how to define?
Two pages with the same protocol (http, https), the same port, same domain name.
The following table gives the relative http://store.company.com/dir/page.htmlexamples of homogeneous detection of:
| URL | result | the reason |
|---|---|---|
http://store.company.com/dir2/other.html |
success | Only different path |
http://store.company.com/dir/inner/another.html |
success | Only different path |
https://store.company.com/secure.html |
failure | Different protocols (https and http) |
http://store.company.com:81/dir/etc.html |
failure | Different ports (http: // 80 is the default) |
http://news.company.com/dir/other.html |
failure | Different domain name (news and store) |
What security mechanisms of the application scenarios origin policy is?
- CSRF (cross-site request forgery)
- Clickjacking
What CSRF that?
CSRF (cross-site request forgery) posing as a trusted user and send the attack site does not command. PS: There are a similar attack called XSS (cross site scripting) attacks.
Click on Hijacking What?
Clickjacking, clickjacking, also known as UI- covered attacks. The word first appeared in 2008, by the Internet security expert Robert Hansen and Jeremiah Grau Mann's first.
It is covered by invisible frame misleading victims clicks.
Although the victim clicked on the page what he saw, but he clicked the other is actually carefully constructed attacker placed on top of the original web page transparent.
This attack takes advantage of the transparent attribute in HTML tags.
How to solve
Background on cross-domain presentation came to an end on here, friends who are interested can read about extended CSRF attack, click on the relevant knowledge hijacking, XSS attacks. End of the text will give some references. Let's continue to look at how to solve cross-domain problems.
JSONP
First, in HTML, some tags are not affected by cross-domain, such as: script, img, iframe and other labels. The cross-domain request JSONP embodiment is the use of the above script tag. The principle simply means: by dynamically created script tag, using the script in the src against homologous characteristic cross-domain policy restrictions to get the data. Specific examples of the code line a lot, I will not put up, more crucial point is the name of the callback before and after the end of unity . In addition, JSONP can only send a GET request.
iframe+form
You can achieve cross-domain requests of the post. The principle is that by not affect cross-domain iframe tag form of post submission form + achieved.
document.domain
document.domain only be used when the sub-domain access to its parent domain.
For example:. Www.baidu.com by setting document.domain = "baidu.com" access parent domain baidu.com
use subdomains document.domain to allow secure access to its parent domain, you need the parent domain and subdomain document.domain set to the same value. This is necessary even if it is only the parent domain back to its original value. Failure to do so may result in permission errors.
PS: baidu.com as a domain name, www.baidu.com prefix www for two domain names.
HEARTS
CORS is suggested in the same-origin policy, the standard way of cross-domain, Web applications, it is to tell the browser through additional Http Header run on a source (domain) have access to the server from different sources selected resources.
CORS embodiment is mainly achieved rear end is provided Access-Control-Allow-Origin:*, achieved by cross-domain access CORS, essentially no relationship, and the distal end, the distal end request almost as usual. PS: do not support CORS IE10 or less.
More detailed information CORS is a simple request, and so on are not simple request, you can take a look at Ruan Yifeng - Cross-Origin Resource Sharing CORS Comments
Nginx proxy
Request broker front-end server, the proxy forwards the request to the real back-end domain name. CORS specified in this way and allow access of a domain name is the same way, but the real benefit is to protect the back-end domain name.
to sum up
If you experience a panic cross-domain problem, first check the front-end services and whether the requested resource is the same domain, if it is not communicated as described above and the rear end of the same domain, to solve cross-domain problems. Then according to the actual needs of the project to select cross-domain methods, such as the client can guarantee support IE10 above, the proposed cross-domain access in two ways after use.
Cross-domain issues is not difficult, the difficulty is later involved in a variety of Web attacks and prevention strategies. At the same time cross-domain understanding, understanding of these Web security policy is the real cross-domain understanding this matter.
About Web security problem, you can refer to my article: "translation" Advanced Topics Web security .
Finally, thanks for reading!