First, the reasons
1. The browser's same-origin policy that browser security measures
2. The interface requests:
a. After logging in, the server will send at Cookie, Cookie with identity information in the current site, the next request will bring the Cookie
b. If there is no same-origin policy, a request will bring the Cookie to other sites, resulting in CSRF (Cross-Site request forgery) attacks that cross-domain request forgery attack
3. DOM Queries
You can get other websites DOM, ie the browser elements
Second, the cross-domain concepts
1. The browser's same-origin policy: protocol (http / https), domain name (www.123.com/456.cn, three parts have a different domain name is not the same), ports (8001/8002) are the same
2. There is a different requests between different domains, cross-domain operation is
3. Special: localhost 127.0.0.1 and also cross-domain
4. Cross-Domain: The browser can not execute scripts other sites, that can not execute the script page of non-homologous
Third, the cross-domain implementations
1. JsonP, supports only get request, the request is not supported post
2. Agent, to call back through the interface, bypassing the browser, such as Nginx proxy
3. CROS
Plus years in the Header
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Four, OPTIONS
1. Simple request satisfies the conditions
One of GET, HEAD, POST of: a request method.
. B HTTP header request field: ACCEPT, ACCEPT-LANGUAGE, CONTENT-LANGUAGE, CONTENT-TYPE
c. CONTENT-TYPE的类型:application/x-www-form-urlencoded,multipart/form-data,text/plain
2. Common complex requests: request method is PUT, DELETE, or content-type is application / json
3. preflight OPTIONS request, and only when cross-domain requests before sending complex request, will perform an options request to become a preflight
reference:
https://segmentfault.com/a/1190000015597029?utm_source=tag-newest