The latest in the standard is to implement HTTP cross-domain requests, cross-origin Resource sharing, is the cross-domain target server to return a series of headers, through these headers to control whether the cross-domain consent.
These headers are:
- 4 syntax
- 4.1 
Access-control-allow-origin
http Response Header
- 4.2 
Access-control-max-age
http Response Header
- 4.3 
Access-control-allow-credentials
http Response Header
- 4.4
access-control-allow-methods
http Response Header
- 4.5
access-control-allow-headers
http Response Header
- 4.6
Origin
http Request Header
- 4.7 
Access-control-request-method
http Request Header
- 4.8 
Access-control-request-headers
http Request Header
There are some in the request package and in the Response package.
One of the most sensitive is the access-control-allow-origin Header, which is used to check whether the cross-domain request can be passed. (Access Control Check)
The process of implementing a cross-domain is roughly as follows:
A cross-domain request is initiated from http:// www.a.com/test.html , with the requested address, HTTP/. www.b.com/test.php, if Server B Returns a header like the following
access-control-allow-origin:http://www.a.com, the cross-domain request from http://www.a.com/test.html will be passed.
In this process, the request will also bring this header:origin:http://www.a.com
But what's more deadly here is that the Access-control-allow-origin value can be a wildcard character *
If it is *, you can receive a request from any source origin.
I can already imagine the horrible consequences of this feature being abused by programmers and used to make a backdoor!
On the Firefox 3.1 Beta 2 grab the package as follows:
GET http://www.b.com/test.php http/1.1
Host:www.b.com
user-agent:mozilla/5.0 (Windows; U Windows NT 5.1; ZH-CN; RV:1.9.1B2) gecko/20081201 firefox/3.1b2 paros/3.2.13
accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language:zh-cn,zh;q=0.5
accept-charset:gb2312,utf-8;q=0.7,*;q=0.7
keep-alive:300
Proxy-connection:keep-alive
Referer:http://www.a.com/test.html
Origin:http://www.a.com
Cache-control:max-age=0
http/1.1 OK
Date:thu, 06:28:54 GMT
server:apache/2.0.63 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Access-control-allow-origin: *
Content-length:28
Content-type:text/html
Cross Domain Request test!
The two pieces of code are roughly the following:
Www.a.com/test.html:
-Shrinkage
HTML
Code Run code[If the run is ineffective, save the source code as an HTML file]<script>
var client = new XMLHttpRequest ();
Client.open ("GET", "http://www.b.com/test.php");
Client.onreadystatechange = function () {}
Client.send (null);
</script>
www.b.com/test.php: Cross Domain Request test!
In addition to this header, but also through a number of other headers to control such as Method, time, etc., you can refer to the standard, do not repeat this.
Cross-domain requests cannot access Document.cookie objects for security reasons
For IE8 Beta 2, this cross-domain request is implemented through Xdomainrequest , such as code similar to the following:
-Shrinkage
JavaScript
Codevar request = new Xdomainrequest ();
Request.open ("GET", Xdomainurl);
Request.send ();
Also requires the other server to return this header.
IE developers released a small video today: http://ieblog.members.winisp.net/images/XdomainRequest-small.wmv
Currently, the requirement to support this cross-domain implementation
Firefox 3.1 Beta2
IE 8 Beta2
Wait until there is a time for popularization.
Finally, add a Firefox3.1 to implement the cross-domain documentation:
Https://developer.mozilla.org/En/HTTP_access_control