CORS Protocol (cross-domain resource sharing)

Cross-domain issues

As long as the protocol, domain name, and port are any different, are considered to be different domains.

Why are there cross-domain restrictions?

Some cross-domain security events that have occurred before:

Sina Weibo XSS attack event

On the evening of June 28, 2011, Sina Weibo appeared to have a larger XSS attack event. A large number of users automatically send such as: "Guo Meimei event of some unnoticed details", "the party building the cause of the place to wear help", "Let the woman Heart of the 100 verses", "3D of the HD Putonghua version of the seeds", "This is the legendary fairy companion Ah", "Breaking!" and so Weibo and private messages, and automatically follow a user named Hellosamy.
The following clues to the event are as follows:
20:14, there are a large number of certified users with V to recruit the worm
20:30, the virus page in a website cannot be accessed
20:32, Hellosamy users in Sina Weibo cannot access
21:02, Sina Bug patch complete

Http://coolshell.cn/articles/4914.html

Baidu Post XSS attack event

March 2014 9 nights, Liu'an bar, such as dozens of bars appear click Promotion Stickers will be automatically forwarded and so on.

And by the XSS attack reprint bar Friends attention of each attention of the stick will be turned over, the virus loop post. and led to the bar staff, and friends were banned.

CORS protocol

The CORS protocol is the standard Protocol (https://www.w3.org/TR/cors/) for the

CORS (cross-origin Resource sharing) cross-domain resource sharing, a protocol that defines how browsers and servers should communicate when accessing cross-domain resources. The basic idea behind cors is to have the browser communicate with the server using a custom HTTP header to determine whether the request or response should succeed or fail.

Support for CORS browsers

The various browsers support CORS in the same situation. (Figure from: http://caniuse.com/#search =cors)

• IE11 does not appear to support CORS for images in the canvas element
• Android and some old versions of WebKit (that is, May is found in various WebView implementations) does not support ACCESS-CONTR ol-expose-headers:https://code.google.com/p/android/issues/detail?id=56726
• Ie10+ does not make a CORS request if port was the only difference (IE Bug #781303)
• ie10+ does not send cookie when withcredential=true (IE Bug #759587). A workaround is to use a P3P policy

CORS Workflow

Figure from: http://www.html5rocks.com/en/tutorials/cors/

If the browser itself provides support for Cros, the request sent by it carries a header named "Origin" indicating the site where the requested page resides.

After a resource acquisition request is received by the provider, it can determine to whom the resource provided needs to be shared, based on the header. The authorization of the resource provider is hosted by a response header called "Access-control-allow-origin", whose header value represents the site being authorized. In general, if the provider of the resource endorses the site carried by the "Origin" header of the current request, it will use that site as the value of the "Access-control-allow-origin" response header. In addition to specifying a specific source and targeting it, the resource provider can also set the "Access-control-allow-origin" header value to "*" for all consumers.

When the browser receives a response containing a resource, it extracts the value of this "Access-control-allow-origin" response header. If this value is "*" or contains a source list containing the source of the previous request (that is, the "origin" header value of the request), it means that the resource's consumers have access to the provider to obtain and manipulate the resource, so the browser allows the JavaScript program to manipulate the acquired resources. If this response header does not exist or its value is "null", the client-side JavaScript program will be denied operations against the resource.

Server-side support for CORS flowchart

Figure from: http://www.html5rocks.com/en/tutorials/cors/

Tomcat add Cros cross-origin request please refer to http://blog.csdn.net/liuwei063608/article/details/47273971

We had a cross-domain problem when we were playing Jsonp, and the comparison with Cors is as follows:

Cors is undoubtedly newer and more fully supported than JSONP.

1. JSONP can only implement get requests, and Cors supports all types of HTTP requests.

2, using cors, developers can use ordinary XMLHttpRequest to initiate requests and obtain data, than JSONP have better error handling.

3. JSONP is primarily supported by older browsers, which often do not support cors, and most modern browsers already support Cors.

Resources:

Cross-origin Resource Sharing Protocol Introduction
Http://www.cnblogs.com/shanyou/archive/2012/09/16/2687907.html

Detailed JS cross-domain problem
1190000000718840

The Cors specification of the Consortium
Http://www.cnblogs.com/artech/p/cors-4-asp-net-web-api-02.html

Spring solves cross-domain issues with Cros protocol
Http://www.open-open.com/lib/view/open1463878352785.html

CORS Protocol (cross-domain resource sharing)