about security issues: (Xss,csrf,cors,jsonp, homologous policy)
Ajax is a way to get data from the server without having to refresh the page. Its core object is XHR, the same Origin policy is an AJAX constraint, it sets the same protocol for communication, the same domain name, the same port. For this reason, access to resources is not available, so there are several ways to solve this problem, first: cross-source resource sharing cors; second: Jsonp and image Ping, but not as secure as cors.
For cors: The entire cors communication process is done automatically by the browser, the key is the server, as long as the server provides a cors interface, you can cross-source communication. For simple requests, the browser makes a cors request directly, which is in the header information. Add an Origin field;
such as: get/corshttp/1.1
Origin:http://api.bob.com the cross-origin address of this request, the server decides whether to agree to the request based on that address. The server returns access-control-allow-origin the Type field;
Host:api.alice.com
Accept-language:en-us
Connection:keep-alive
user-agent:mozilla/5.0
Compared to JSONP: Jsonp only applies to get requests, but it can support older browsers. Cors does not support older browsers, but it can support all types of HTTP requests.
For JSONP: By introducing the script tag, use the SRC attribute directly to introduce an external URL. and set the CB function on it. When the resource is loaded, the good one function is defined and a name is given to the CB function, and the returned data is passed as a parameter to the function.
XSS and CSRF:
CSRF: Cross-site request forgery, where unauthorized systems have access to a resource. To ensure URL security through XHR access, you can verify that the sending requestor has permission to access the appropriate resource. Method: Each request is accompanied by the corresponding algorithm calculation of the verification code, requires an SSL connection to access;
XSS: A cross-site scripting attack in which a malicious attacker inserts a malicious attack script code into a Web page. Solution: First: Transform and filter the requested data, including the conversion and filtering on the client and server side. By the URL, query the keyword, HTTP header, post data can set the specified length, in the appropriate format, filtering or ignoring part of the content and so on. Secondly, we can adopt homologous strategy to realize security;
About security issues: (XSS,CSRF,CORS,JSONP, homologous policy)