Access-control-allow-origin Cross-domain issues

Source: Internet
Author: User

1. homologous, homologous strategy (same origin policy)

Homologous refers to the protocol, port, domain names are all the same.

The same Origin policy is a convention that is the most central and basic security feature of the browser, and if the same origin policy is absent, the normal functionality of the browser may be affected. It can be said that the Web is built on the basis of the same origin policy, the browser is only for the same origin of the implementation of the policy.

2. Cross-domain

Web browsers have a security policy called the same site source policy, which prevents web pages from accessing data in another domain. Web sites typically bypass this policy by letting their servers request content from other site servers on the backend, bypassing the browser's checks.

3. front-end cross-domain

Bypassing the browser's security policy through the front-end scenario, data transfer or communication between different domains, such as using AJAX to request data from a different domain, or by using JS to obtain data from a different domain framework (IFRAME) in the page.

   cross-domain workarounds :

1. Browser target add command to allow cross-domain access (this scenario is for individuals only):

The first type:--allow-file-access-from-files

The second type:--disable-web-security

2. Background configuration Web. XML filter (not recommended)

1 <filter>2     <filter-name>CorsFilter</filter-name>3     < filter-class>com.itxc.filter.corsfilter</filter-class>45 < Filter-mapping>6     <filter-name>CorsFilter</filter-name>7     < url-pattern>/*</url-pattern>8</filter-mapping>
View Code

3. Configuring Nginx Proxy Server (recommended)

Specific view Configuration Nginx article

4.JSONP method, the Jsonp method is an unofficial method, and this method only supports get mode, which is less secure than post mode. By adding the header parameter to the requested response header, you can implement the Ajax post cross-domain access.

Specify allow other domain names to be accessed

      Header (' access-control-allow-origin:* ');

Response type

      Header (' Access-control-allow-methods:post ');

Response Header Settings

      Header (' Access-control-allow-headers:x-requested-with,content-type ');

access-control-allow-origin:* that allows any domain name to be accessed across domains

If you need to specify a domain name to allow cross-domain access, simply change the access-control-allow-origin:* to Access-control-allow-origin: Allowed domain name

5. Cross-domain access via IFRAME, not detailed.

Summary: Traditional cross-domain requests do not have a good solution, nothing more than Jsonp and IFRAME, with the application of cross-domain requests more and more, the Consortium provides a standard scheme for cross-domain requests (cross-origin Resource sharing). IE8, Firefox 3.5 and later versions, Chrome browser, Safari 4, etc. have implemented the Cross-origin Resource sharing specification, which enables cross-domain requests. When the server responds to the client, bring the Access-control-allow-origin header information.

    If you set access-control-allow-origin:*, scripts for all domain names are allowed to access the resource.

access-control-allow-origin:http://www.phpddt.com.com, allowing specific domain names to be accessed

    To Configure server configuration information :

1<system.web>2<!--provides access to Web services--3<webServices>4<protocols>5<add name="HttpSoap"/>6<add name="HttpPost"/>7<add name="HttpGet"/>8<add name="Documentation"/>9</protocols>Ten</webServices> One</system.web>
system.web

1<configuration>2<system.webServer>34<customHeaders>5<add name="Access-control-allow-methods"Value="Options,post,get"/>6<add name="access-control-allow-headers"Value="X-requested-with,content-type"/>7<add name="Access-control-allow-origin"Value="*"/>//* is any site can cross domain, plus domain name can be specified across domains. 8</customHeaders>9Ten<modules> One<add name="Myhttpmodule"Type="Webservicedemo.myhttpmodule"/> A</modules> -</system.webServer> -</configuration>
Configuration

Note:

Sam Jason

Blog: http://www.cnblogs.com/zengming/

< welcome students with different ideas or opinions to discuss together and progress together >

Access-control-allow-origin Cross-domain issues

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.