Same origin is a complete security restriction for js to operate on those web contents. It will come into play when the web page opens other browser windows or uses iframes.
That is, the script can only read the properties of windows and documents that have the same source as the document to which they belong.
The source of the document includes the protocol, host, and url port for loading the document. Documents loaded from different web servers have different origins, and documents loaded from different ports on the same host also have different origins. Those using http and https are also from different sources because the protocols are different.
That is, the protocol, host, and url port for loading the document must be completely the same as the document to allow the script to read the file content.
But it has nothing to do with the source of the script itself.
Example
Script a is included in a document bb from host b, that is, script a can access all the contents of document bb.
Script a opens another cc document from host c. Due to different sources, script a cannot access the content of document cc. But if script a opens a document bbb from host b, then script a can access document bbb (at this time, under two different windows, access can also be achieved)
If the script opens a window, the script It can also be closed, but the inside of the window cannot be viewed in any way.
Use web server for chrome locally to start the service. Modify the host file, parse home.abc.com and abc.com to access these two domain names
, http://home.abc.com:8887/ and http://abc.com:8887/ both come from The same host 127.0.0.1
This completes the construction of the simplest local server
> document.domain "home.abc.com"
Only allow requests for websites originating from home.abc.com.
Settings
> document.domain = "abc.com"; "abc.com"
This sets up a same origin, and treats requests from
*.abc.com
as all origins.
Set the same document.domain. If the two values are the same, the scripts can access each other. Will not be bound by same origin.
Use Origin to extend http to ensure resource sharing
https://developer.mozilla.org...
Explicit to list all sources. According to the value of Origin, sources are listed to avoid cross-source messages again
Use the postMessage() method to asynchronously deliver message events
In web browsers, js is used as the scripting engine for many software and plug-ins.
ActiveX is widely used in online banking, ╮(╯▽╰)╭
is a very old technology. . 3721. (⊙o⊙)
Client js does not have permission to write or delete any files or list any directories on the client computer. That is, js programs cannot delete data or implant viruses.
The client's js does not have any general network capabilities. The client's js program can program the http protocol, and there is a socket API for specifying server communication, but it cannot carry out wider and wider networks. access.
Related articles:
Explanation of knowledge points about the same-origin policy and csrf security policy
detailed explanation of the js same-origin policy
Related videos:
JavaScript Basics Video Tutorial
The above is the detailed content of js origin policy: a complete security restriction for operating web content. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
