Homologous policy Document model of the same origin policy
The Same-origin policy (same Origin policy,sop), also known as single source policy, is a security measure for web browser programming languages such as JavaScript and Ajax to protect the confidentiality and integrity of Information.
The Same-origin policy prevents web site scripting from accessing scripts used by other sites and also prevents it from interacting with other site Scripts.
Raw Resources |
the resources to access |
Non-ie Browser |
IE Browser |
http://example.com/a/ |
http://example.com/b/ |
can access |
can access |
http://example.com/ |
http://www.example.com/ |
Host mismatch |
Host mismatch |
http://example.com/a/ |
https://example.com/a/ |
Protocol mismatch |
Protocol mismatch |
http://example.com:81/ |
http://example.com/ |
Port mismatch |
can access |
The Same-origin policy was initially designed to manage access between the dom, and later gradually extended to JavaScript objects, but not All.
For example, non-homologous scripts can be called between Location.assign () and Location.replace ().
The Same-origin strategy improves security, but it also reduces flexibility.
For example, it is difficult to transfer data between login.example.com and payments.example.com two domains Conveniently.
Two solutions are described: Document.domain and PostMessage ().
JavaScript allows the use of top-level domain names between subdomains.
For example, login.example.com and payments.example.com can have the following settings:
document.domain="example.com"
After setting this property, it is easy to communicate between subdomains, and it is important to note that the protocol and port number must be the Same.
Raw Resources |
|
Access to resources |
|
Results |
Url |
Document.domain |
Url |
Document.domain |
|
http://www.example.com/ |
example.com |
http://payments.example.com/ |
example.com |
can access |
http://www.example.com/ |
example.com |
https://payments.example.com/ |
example.com |
Protocol mismatch |
Http://payments.example.com |
example.com |
http://example.com/ |
(not Set) |
Access Denied |
http://www.example.com/ |
(not Set) |
http://www.example.com |
example.com |
Access Denied |
PostMessage () is an API interface for HTML5, which is not supported in IE6 and IE7 because it is relatively new. 1 send a message to another iframe:
var message = "Hello" + (new Date().getTime()); window.parent.frames[1].postMessage(message, "*");
Iframe1.html needs to send a message to iframe2.html, which is the second iframe, so it's window.parent.frames[1].
If you are sending a message to the parent page, it is Window.parent.
PostMessage This function receives two parameters, it is indispensable, the first parameter is the data you want to send.
The second parameter is very important, primarily for security reasons, and generally fills in the domain name that allows Communication.
This is to simplify, so use ' * ', that is, do not judge the domain to be accessed.
2 Another IFRAME listens for message events:
iframe2.html中写个监听message事件,当有消息传到iframe2.html时就会触发这个事件。var onmessage = function(e) { var data = e.data,p = document.createElement("p"); p.innerHTML = data; document.getElementById("display").appendChild(p);}; //监听postMessage消息事件if (typeof window.addEventListener != "undefined") { window.addEventListener("message", onmessage, false); } else if (typeof window.attachEvent != "undefined") { window.attachEvent("onmessage", onmessage);}
If you have domain restrictions, such as the following code:
window.parent.frames[1].postMessage(message, "http://www.test.com");
It is necessary to add a judgment in the Onmessage:
if(event.origin !== "http://www.test.com") return;
The homologous strategy of XMLHttpRequest
A simple synchronous XMLHttpRequest request:
var x = new XMLHttpRequest();x.open("POST", "/some_script.cgi", false);x.setRequestHeader("X-Random-Header", "Hi mom!");x.send("...POST payload here...");alert(x.responseText);
XMLHttpRequest request strict adherence to the Same-origin policy, non-homologous can not Request.
This API has done a lot of testing and improvement, and the previous test methods are listed Below:
var x = new XMLHttpRequest();x.open("POST", "http://www.example.com/", false);// 定义发送内容长度为7x.setRequestHeader("Content-Length", "7");// 构造的http请求。x.send("Gotcha!\n" +"GET /evil_response.html HTTP/1.1\n" +"Host: www.bunnyoutlet.com\n\n");
Now the browser does not exist above the hidden dangers, including basically disabling the trace method, to prevent httponly cookie leakage problem, etc.
The homologous policy of WEB storage
The Web storage was added by Mozilla's engineers in Firefox1.5 and joined the HTML5, now supported by browsers, in addition to IE6 and IE7.
JavaScript can be created, retrieved, and deleted by Localstorage and Sessionstorage on the Web storage:
localStorage.setItem("message", "Hi mom!"); alert(localStorage.getItem("message")); localstorage.removeItem("message");
Localstorage objects can be saved for a long time and adhere to the same Origin Policy.
But in the IE8 localstorage will be the same domain name but the protocol is HTTP and HTTPS content together, IE9 has been modified.
In firefox, Localstorage is fine, but Sessionstorage also puts the same HTTP and HTTPS as the domain Name.
Security Policy for cookies
Set Cookie Summary
In foo.example.com settings Cookie,domain set to: |
Scope of the final cookie |
Non-ie Browser |
IE browser |
Set to Empty |
Foo.example.com (one Domain) |
*.foo.example.com |
Bar.foo.example.com |
Cookie setting failed, Setting the domain to be a subdomain of the current domain |
Foo.example.com |
*.foo.example.com |
Baz.example.com |
Cookie settings failed, domain name does not match |
example.com |
*.example.com |
Ample.com |
Cookie settings failed, domain name does not match |
. com |
Settings fail, domain name is too wide, there is a security risk. |
The path parameter in the cookie allows you to set a cookie for the specified directory.
For example, setting Domain to Example.com,path For/some/path/will bring a set cookie when accessing the URL Below:
Http://foo.example.com/some/path/subdirectory/hello_world.txt
There is a certain security risk because the path setting does not take into account the Same-origin Policy.
The HttpOnly property prevents access to the cookie set through the Document.cookie Api.
The secure property is set to protect against man-in-the-middle attacks only when it is transmitted over HTTPS with a set cookie.
Adobe Flash
allowScriptAccess Parameter: used to control the limitations of flash when invoking JavaScript through the Externallinterface.call () Function.
There are three values: Always,never and sameorigin, The last value allows only JavaScript operations of the same domain (always by default until 08, and now defaults to sameorigin).
Allownetworking Parameter: used to control the flash and external network Communication.
The optional values are: all (allow all network traffic, default values), internal (flash cannot communicate with the browser such as navigatetourl, but can call other apis), none (no network communication is Prohibited)
Local file
Because local files are accessed through the File: protocol, the same origin policy cannot be followed because there is no host.
therefore, a locally saved HTML file, in the browser through the File: protocol access, The local other files can be XMLHttpRequest or Dom Operation.
At the same time, you can do the same for other resources on the Internet. The browser vendors are aware of the problem and are trying to make changes:
Test code:
1.html (1.txt Random Write some strings Can)
<script>function createXHR(){ return window.XMLHttpRequest? new XMLHttpRequest(): new ActiveXObject("Microsoft.XMLHTTP");}function getlocal(url){ xmlHttp = createXHR(); xmlHttp.open("GET",url,false); xmlHttp.send(); result = xmlHttp.responseText; return result;}function main(){ url = "file://路径/1.txt"; alert(url); result = getlocal(url); alert(result);}main();</script>
Conclusion:
1 Chrome浏览器(使用WebKit内核的浏览器)完全禁止跨文档的XMLHttpRequest和DOM操作,并禁止了document.cookie和<meta http-equiv="Set-Cookie" ...>的操作。2 Firefox允许访问同目录与子目录里的文件。也可通过document.cookie与<meta http- equiv="Set-Cookie" ...>设定cookie,file:协议下cookie共享,storage也是。3 IE7及以上允许本地文件之间的访问,但是在执行JavaScript之前会有一个提示,用户点击通过之后可以执行,cookie域Firefox类似,但是file:协议下不支持storage。4 IE6允许本地文件的访问,同时也允许对http协议的访问,cookie也是一样。
Pseudo-url Domain
Some Web applications use pseudo-urls such as about:,javascript:, and data: to create HTML documents.
This method is designed to not need to communicate with the server, can save time faster response, but also brought a lot of security risks.
about:blank
The About protocol has many uses in Today's browsers, but most of them are not intended to get a normal page.
About:blank This URL can be used to create Dom objects, for example:
<iframe src="about:blank" name="test"></iframe><script> frames["test"].document.body.innerHTML = "
In the browser, create a About:blank page that inherits the domain of the page to which it was created.
For example, Click a link, submit a form, create a new window, but when the user manually enters About: or the bookmark opens, his domain is a special domain and no other pages can be Accessed.
data:协议
Data: the protocol is designed to place small data, such as the example, can reduce the number of HTTP requests, for Example:
Use the following code to study domain issues:
<iframe src="data:text/html;charset=utf-8,<script>alert(document.domain)</script>" >
In Chrome and safari, all Data: is given a separate, unreachable domain, not inherited from the parent Domain.
In Firefox and opera, the domain is inherited from the current Page.
The Data: protocol is not supported for versions prior to IE8.
Javascript: and Vbscript:
Javascript: the protocol allows JavaScript code to be executed later and inherits the current domain of the Call.
In some cases, the following content will be processed two times, if the code is correct, the following code as HTML parsing, overwriting the original HTML code:
<iframe src="javascript:"<b>2 + 2 = " + (2+2) + "</b>""> </iframe>
Browser Security-domain of homologous policy, pseudo URL