Access-control-allow-origin Cross-domain issues

1. homologous, homologous strategy (same origin policy)

Homologous refers to the protocol, port, domain names are all the same.

The same Origin policy is a convention that is the most central and basic security feature of the browser, and if the same origin policy is absent, the normal functionality of the browser may be affected. It can be said that the Web is built on the basis of the same origin policy, the browser is only for the same origin of the implementation of the policy.

2. Cross-domain

Web browsers have a security policy called the same site source policy, which prevents web pages from accessing data in another domain. Web sites typically bypass this policy by letting their servers request content from other site servers on the backend, bypassing the browser's checks.

3. front-end cross-domain

Bypassing the browser's security policy through the front-end scenario, data transfer or communication between different domains, such as using AJAX to request data from a different domain, or by using JS to obtain data from a different domain framework (IFRAME) in the page.

　　　cross-domain workarounds :

1. Browser target add command to allow cross-domain access (this scenario is for individuals only):

The first type:--allow-file-access-from-files

The second type:--disable-web-security

2. Background configuration Web. XML filter (not recommended)

1 <filter>2     <filter-name>CorsFilter</filter-name>3     < filter-class>com.itxc.filter.corsfilter</filter-class>45 < Filter-mapping>6     <filter-name>CorsFilter</filter-name>7     < url-pattern>/*</url-pattern>8</filter-mapping>

View Code

3. Configuring Nginx Proxy Server (recommended)

Specific view Configuration Nginx article

4.JSONP method, the Jsonp method is an unofficial method, and this method only supports get mode, which is less secure than post mode. By adding the header parameter to the requested response header, you can implement the Ajax post cross-domain access.

Specify allow other domain names to be accessed

　　　　　　Header (' access-control-allow-origin:* ');

Response type

　　　　　　Header (' Access-control-allow-methods:post ');

Response Header Settings

　　　　　　Header (' Access-control-allow-headers:x-requested-with,content-type ');

access-control-allow-origin:* that allows any domain name to be accessed across domains

If you need to specify a domain name to allow cross-domain access, simply change the access-control-allow-origin:* to Access-control-allow-origin: Allowed domain name

5. Cross-domain access via IFRAME, not detailed.

Summary: Traditional cross-domain requests do not have a good solution, nothing more than Jsonp and IFRAME, with the application of cross-domain requests more and more, the Consortium provides a standard scheme for cross-domain requests (cross-origin Resource sharing). IE8, Firefox 3.5 and later versions, Chrome browser, Safari 4, etc. have implemented the Cross-origin Resource sharing specification, which enables cross-domain requests. When the server responds to the client, bring the Access-control-allow-origin header information.

　　　　If you set access-control-allow-origin:*, scripts for all domain names are allowed to access the resource.

access-control-allow-origin:http://www.phpddt.com.com, allowing specific domain names to be accessed

　　　　To Configure server configuration information :

1<system.web>2<!--provides access to Web services--3<webServices>4<protocols>5<add name="HttpSoap"/>6<add name="HttpPost"/>7<add name="HttpGet"/>8<add name="Documentation"/>9</protocols>Ten</webServices> One</system.web>

system.web

1<configuration>2<system.webServer>34<customHeaders>5<add name="Access-control-allow-methods"Value="Options,post,get"/>6<add name="access-control-allow-headers"Value="X-requested-with,content-type"/>7<add name="Access-control-allow-origin"Value="*"/>//* is any site can cross domain, plus domain name can be specified across domains. 8</customHeaders>9Ten<modules> One<add name="Myhttpmodule"Type="Webservicedemo.myhttpmodule"/> A</modules> -</system.webServer> -</configuration>

Configuration

Note:

Sam Jason

Blog: http://www.cnblogs.com/zengming/

< welcome students with different ideas or opinions to discuss together and progress together >

Access-control-allow-origin Cross-domain issues