Original: http://www.cnblogs.com/Darren_code/p/cors.html cross-domain is the question I often ask in my daily interview, the term is not low in the front-end, the main reason is due to security restrictions (homologous policy, That is, JavaScript or cookies can only access content under the same domain, because we will inevitably need cross-domain operations in the development of our daily projects, so cross-domain capability is one of the basic skills of front-end engineers. As with most cross-domain solutions, JSONP is also my choice, but one day PM's requirements have changed, a function needs to be changed to support post, because the volume of data transferred, get form is uncertain. So it's been a long-known
CORS (Cross-domain resource sharing, cross-origin Resource sharing
), this side of the article is to toss and summarize the period. Overview
The normal use of Ajax will require a normal consideration of cross-domain issues, so the great program workers have a series of cross-domain problems, such as JSONP, Flash, Ifame, XHR2 and so on. The cors described in this article is a solution to an AJAX cross-domain problem.
Cors defines a mechanism for cross-domain access that enables AJAX to be accessed across domains. CORS allows a network application on one domain to submit cross-domain AJAX requests to another domain. This is very simple to implement, and only one response header is sent by the server.
- Cors Browser support scenarios such as:
The support of the popular and general rejoicing, especially in
Mobile Terminal, in addition to opera Mini, the modern browser on the PC can be friendly to support, in addition to ie9-, but front-end engineers should be accustomed to this situation ... Cors sail assumes that our page or application is already on the http://www.test1.com, and we intend to extract the data from the http://www.test2.com request. In general, if we use AJAX directly to request it will fail, the browser will return a "source mismatch" error, "
cross-Domain"And that's the origin. With cors,http://www.test2.com just add a header, you can allow requests from http://www.test1.com, which is my hander () setting in PHP,
"*" indicates that any domain is allowed to submit requests to our server:
You can also set the specified domain name, such as the domain name http://www.test2.com, then allow requests from this domain name :
Currently I set the header is "*", any request came after the server we can handle & response, then in the debugging tool can see its header information settings, where the red box has a message is "
access-control-allow-origin:*", indicating that we have enabled cors, such as. PS: Because the demo is in my factory's two test machines to complete, the outside network can not access, so in this does not provide demo, forgive me a simple header setting, a support cross-domain &post request Server completed:) Of course, if you do not have to open cors must fail, such as: Questions & Summary
- Just talked about compatibility. Cors is a relatively new scheme in the web, so some browsers have not yet supported it or are perfectly supported, and the details can be moved to http://www.w3.org/TR/cors/
- Security issues. Cors provides a cross-domain request scheme, but does not provide sufficient safeguards for secure access, and if you need information that is absolutely secure, do not rely on the permission system in Cors, you should use more other measures to protect it, such as OAuth2.
Self-perceived cors usage scenarios:
- Cors in the mobile terminal support is good, you can consider the mobile side of the full attempt, the PC is incompatible and no perfect support, so tread carefully the pit. Of course, browser compatibility is a pseudo-proposition, not to say that a certain version of a browser is perfectly compatible, it is not a bit small pits, no harm! ~
- Jsonp is a get form, the amount of information is limited, so the information is large when cors is the choice;
- Work with new Jsapi (FILEAPI, XHR2, etc.) to achieve powerful new experience capabilities.
If you think this article is also the intention, please Lau the lower right corner of the recommendation.
wish 2014 smooth. Finally, Beijing & Shanghai Friends want to change jobs after the spring festival, "Baidu Mobile Cloud Division" look forward to smart, diligent you contact me (JD in the top right corner of the page)
References:http://www.w3.org/TR/cors/http://www.html5rocks.com/en/tutorials/cors/http://caniuse.com/#search =cors Nievidong
Source: http://www.cnblogs.com/Darren_code/
This article is copyrighted by the author and the blog Park, Welcome to reprint, but without the consent of the author must retain this paragraph, and in the article page obvious location to the original link.
AJAX post& Cross-domain solution-CORS