"For the Javascript field, the most important security restriction is the same origin policy, which is used to determine the pages on which servers can communicate with each other.
Orgin refers to a single domain such as www.csdn.net, which can be accessed through a single protocol, usually HTTP. The same-source policy specifies that only the pages with the same source can access, download, and interact with resources from the source (using cirpt ). For the frame hiding technique, this requires that all frames are loaded from the same source, so javascript can be used for communication. If you try to load a page from another source in the frame, you cannot interact with the page or access any of the scripts. The same-origin policy is intended to prevent maliciousProgramThe member obtains your message outside the valid webpage.
The same-origin policy also affects XMLHTTP. XMLHTTP cannot be used to access and runCodePage resources. This means that by default, you cannot use a URL starting with http: // In the open () method. You can only use an absolute or relative URL in the same domain name. If you need to access a URL in different sources, you must create a server-side proxy to process the communication ."
Internet Explorer does not provide a display same-origin policy, but relies on its own security zone to determine what to access. The rules that web pages in the internet security zone generally follow are similar to those in the same-origin policy, pages in the trusted site region are not restricted by this policy.
The above is the description in the advanced Ajax program design. So how can we understand this passage?
[Actual project] assume that application a and application B are deployed on machine 1 and machine 2, and the page in machine A needs to call the page in B, project found that JavaScript code in a cannot access the content on B's page. This is because of the cross-origin restrictions of JavaScript. However, you can send a request to B through XMLHTTP and receive the response message returned by B. This is not subject to cross-origin restrictions (because B's Web server acts as a proxy ).
You are welcome to leave a message to discuss Ajax cross-origin issues ~