How to solve js cross-origin problems

Javascript cross-origin is one of the most common problems for web developers. The so-called js cross-origin problem refers to the Access to Data Objects in another different domain through js on a page in one domain. For security consideration, almost all browsers do not allow this cross-origin access, this causes cross-origin web services to become a problem in some ajax applications. Currently, there are some ready-made solutions on the client and server to solve js cross-origin problems, but these solutions cannot solve all problems. Next, let's take a look at some common solutions and provide a space solution based on the Cross-Domain problem requirements of space products. We hope it can be used for reference by other product groups.
Client Solution
Almost all web developers will first consider how to solve js cross-domain issues on the client. Currently, there are two most common methods: setting document. domain and loading through script labels.
Set document. domain
The premise of using this method is that the two pages involved in the cross-origin request must belong to a basic domain (for example, both xxx.com and xxx.com.cn) and use the same protocol (for example, all pages are http) and the same port (for example, both 80 ). For example, if a page in aaa.xxx.com needs to call an object in bbb.xxx.com, set the document. domain of both pages to xxx.com to implement cross-origin calls. In addition, you must note that this method can only be used in parent and child pages, that is, it is only useful when using iframe for data access.
Load with script labels
For the browser, the src attribute of the script tag points to the resource, just like the src attribute of the img Tag points to the resource, it is a static resource, the browser automatically loads these resources when appropriate, without the so-called cross-origin issue. In this way, we can reference the data object to be accessed through this attribute to the current page and bypass the js cross-origin issue. For example, in space projects, you need to randomly recommend several popular modules on the Management Center page under the hi domain to users, because the related information of popular modules is maintained by the php module in the act domain, if you directly obtain information about the list of Recommendation modules in the act domain through ajax requests in the hi domain, the js cross-origin issue occurs. The simplest way to solve this problem is to access the http interface provided by the act domain through the script tag in the hi domain:
<Script type = "text/javascript" src = "http://act.hi.baidu.com/widget/recommend"> <script>
Of course, the premise is that the http interface of the act domain must return a js script, such as a script defined by a json object array:
Modlist = [
{"Modname": "mod1", "usernum": 200, "url": "/widget/info/1 "},
{"Modname": "mod2", "usernum": 300, "url": "/widget/info/2 "},
...
];
But the script tag also has some limitations and cannot solve all js cross-origin problems. The src attribute value of the script tag cannot be dynamically changed to meet the needs of obtaining different data under different conditions. More importantly, you cannot correctly access the data organized in xml content in this way.
Server Solution
From the above description, we can see that the client solution has too many limitations and that ajax cross-origin requests cannot be solved on the client regardless of whether the two domains belong to the same basic domain. That is to say, if we want to access data in other domains in the ajax request, we can only process the data through the server. The basic principle of the server solution is that the client sends the request to the local server, and then the agent of the local server requests the data and returns the response to the client. The most common server solution is to use the proxy function provided by the web server, such as the mod_proxy module of apache and lighttpd. In Baidu, the transfer function can also solve some cross-domain problems. However, these methods have some limitations. In view of security and other issues, space finally developed a spproxy module dedicated to processing cross-origin request proxy services, it is used to completely solve js cross-origin problems. Next we will take the open space platform as an example to briefly introduce how to solve this cross-origin problem through the mod_proxy of apache, the shunting of transmit, And the spproxy module of space, this section briefly introduces some features and disadvantages of spproxy and the next improvement plan. Before displaying each UWA open module, the space must request the xml source code of the module for parsing. The source code files of each module are stored in the/ow/uwa directory under the act domain, the js cross-origin issue occurs when the xml file is requested on the user space homepage (hi domain. To solve this problem, JavaScript can only request xml files from the web server of the hi domain, while the hi domain web server uses a certain proxy mechanism (such as mod_proxy, transmit shunting, spproxy) request a file from the web server in the act domain.
Use the mod_proxy module of apache
If apache is a 2.0 series version, you can add the following configuration in the httpd. conf file:
ProxyRequests Off
<Proxy *>
Order deny, allow
Allow from all
</Proxy>
ProxyPass/ow/uwa http://act.hi.baidu.com/ow/uwa
The ProxyRequests command disables the forward Proxy function of mod_proxy and enables the reverse Proxy function. The Proxy Command makes this configuration effective for all accesses, the ProxyPass command converts access to any resources in the/ow/uwa directory of the current domain into a proxy request for resources in the/ow/uwa directory of the act.hi.baidu.com domain.. In this way, js can directly obtain the 0/1. xml file in the/ow/uwa/10001/0/directory under the act domain by accessing the http://hi.baidu.com/ow/uwa/0/1/0/10001.xml.
If apache is a version 1.3 that has been modified by Baidu's product lines, the mod_proxy and mod_rewrite modules must be used together to achieve the same purpose. First, add the following Location command in httpd. conf:
<Location/ow/uwa>
SetHandler proxy-server
Order allow, deny
Allow from all
</Location>
In this way, access to any resources under the/ow/uwa directory in the current domain will first be handled by the proxy-server handler (a handler defined in the mod_proxy module, however, this configuration does not work, because the proxy-server does not know how to handle it, but it only needs to be handled by itself. In this case, you also need to add a rewrite rule in the configuration segment:
RewriteRule ^/ow/uwa/(. *) $ http://act.hi.baidu.com/ow/uwa/#1? % {QUERY_STRING} [P, L]
[P, L] at the end of the Rewrite rule indicates that the rewrite passes through the mod_proxy proxy instead of the external redirection. If the P Flag is removed, the following rewrite rules are used:
RewriteRule ^/ow/uwa/(. *) $ http://act.hi.baidu.com/ow/uwa/#1? % {QUERY_STRING} [L]
Then, the resource uri returned to the client on time scale will be the redirected uri. In our example, the uri of the act.hi.baidu.com domain will still cause cross-domain JavaScript in the browser. The above is just a simple application of apache's proxy function. For more powerful introduction, see [1] and [2 ]. Although Mod_proxy is powerful, it is not used to solve cross-domain problems. First, each front-end machine must be able to access the Internet, otherwise, the request proxy can only be sent to one of the front-end machines (rewrite or proxy by using the machine name as the Intranet domain name), which is obviously not desirable, because one of our domain names is usually composed of many front-end machines, acting only on one of them will cause the pressure on this machine to be unbalanced compared with other machines, or even unable to support the pressure, adding Internet access permissions to all front-end machines may cause some security policy problems (the specific reasons are unclear, but op and sa obviously do not agree with this approach ). Secondly, because apache does not have a good anti-ddos mechanism, once someone uses a proxy to attack the target domain (such as our competitor's website ), from the perspective of the web server in the target domain, the attacker became us. When such a thing happened, we were completely confused.
Use the transmit shunting Solution
The product line that has used transmit should know that in addition to attack prevention, transmit also has an important function of shunting. With the shunting function, we can distribute access to specific URLs to different apache for cross-origin access. Let's take the example of a spatial open platform as an example. Suppose our act domain is composed of two machines, jx-space-act00.jx and jx-space-act01.jx, In the jx data center. The port of apache is 8080, as long as the following configuration is added to the transmit configuration file transmit_common.conf:
PP_APACHE_DIR:/ow/uwa/
PP_APACHE0: jx-space-act00.jx: 8080
PP_APACHE1: jx-space-act01.jx: 8080
After the transmit is restarted, users in the south can access the http://hi.baidu.com/ow/uwa/0/1/0/10001.xml to obtain the issue. If we want to asynchronously obtain other data in the act domain, such as the data provided by the/sys/widget/xxx interface, in js in the hi domain, you only need to add a directory definition in the PP_APACHE_DIR configuration item:
PP_APACHE_DIR:/ow/uwa/,/sys/widget/
Because the old version of transmit only supports one shunting, it cannot be used to simultaneously solve cross-domain requests to multiple external domains. At the same time, it must support the old version of transmit, the back-end apache requires corresponding code modification and configuration, which also limits our shunting function and cannot solve cross-domain Cross-Domain problem across non-Baidu domains. However, the good news is that the new version of transmit recently released by gm allows n shunting requests and does not make any modifications to backend apache. Therefore, the limitations on the old version of transmit will no longer exist, it can solve the cross-domain problem to a certain extent. The specific configuration method is similar to that of the old version. You can refer to the configuration file of the new version transmit to modify it accordingly.
Use the spproxy Module
However, in space's Open Platform System, we didn't solve the cross-origin problem through transmit. As mentioned above, transmit can only solve this problem to a certain extent. Why? Because you need to restart the transmit program after modifying the configuration to increase the traffic distribution, and its performance will decrease as the Traffic Distribution Branch increases, after all, when each request arrives, it needs to traverse all the shunting branches to determine which branch should be taken. For open platforms, any new open module may introduce one or more new external domains, which causes the number of distributed branches of transmit to linearly increase with the increase of the number of open modules, this will be unacceptable in both op O & M and program performance. Based on this consideration, space introduced a new module, the spproxy module, in the second phase of the open platform project, to provide the cross-origin request proxy service, thus completely solving the js cross-origin problem. In a sense, spproxy is actually a ui. It receives a request from apache, processes the request to obtain real page data, and then returns it to apache, then, apache returns the result to the client. Spproxy only receives one apache command number (AC_SYS_PROXY: 38) and provides two http interfaces:
/Sys/pxy/ajax? Url = xxxx and/sys/pxy/xml? Url = xxx
Among them,/sys/pxy/can be modified to another directory name through the apache configuration file. The url parameter is the uri of the data that js wants for cross-origin requests (url encoding is required, if there are parameters in the url), the only difference between the xml interface and the ajax interface is that spproxy forcibly sets the Content-Type returned by the former to text/xml, while for the latter, the Content-Type returned by the external Domain Server is the type. The Apache end only needs to add the following two configurations to allow spproxy to process the requests of the above two http interfaces. Of course, the premise is that the apache used is an apache that has been rewritten by ns, currently, apache 1.3 is the main version:
CmdNoMap pxy 38
Invalid host pxy 10.23.64.185 20540
Pxy is the second directory name in the http interface and can be customized. For example, if proxy is written in the configuration, the http interface is/sys/proxy/ajax? Url = xxx and/sys/proxy/xml? Url = xxx; 38 is the command number that spproxy can process and can be changed to another value during compilation; 10.23.64.185 20540 is the ip address of the machine where spproxy is located and the listening port of spproxy. Through the above configuration, the js under the hi domain can be accessed through asynchronous http://hi.baidu.com/sys/pxy/xml? Url = http: // container/uwa/0/1/0/10001. xml. If the resource uri for cross-origin access has parameters such as http://act.hi.baidu.com/widget/recommend? Num = 6, then the parameter value needs to be url encoded during access, such as http://hi.baidu.com/sys/pxy/xml? Url = http % 3A % 2F % 2 Fact % 2Ehi % 2 Ebaidu % 2 Ecom % 2 Fwidget % 2 Frecommend % 3 Fnum % 3D6.
Spproxy Introduction
Spproxy is a single-process module developed based on the epoll network model. It contains a data capture thread and a timed loading thread: The capture thread and proxy for cross-origin requests, capture the page content corresponding to the specified url and return it to the front-end. This thread uses the epoll model to increase the concurrency of request processing, regularly load the domain name White List and some reload configuration items (such as various time-out times, whether to forcibly specify the cache expiration time, etc) spproxy uses a domain name whitelist to restrict domain names that can be accessed across domains in JavaScript to reduce security risks, you only need to add a line to spproxy's domain name whitelist file spproxy_domainlist.txt when adding a js external domain that can be accessed across domains. This will take effect after 5 minutes (the specific effective time can be configured. Because the epoll network model is used, spproxy can defend against slow connection attacks. It also has the same powerful anti-attack function as space ui. To reduce requests to external domain servers to improve the response speed of cross-origin requests and reduce the risk of blocking our proxy services by external domain servers, spproxy itself provides a relatively simple cache function. If the cache expiration time is specified in the http header of the page returned by the external Domain Server, spproxy calculates a reasonable expiration value for the page's cache expiration time based on the http header and caches the page; if no cache expiration time is specified in the http header returned by the external Domain Server or the cache is not required, spproxy will continue to cache the page for a short period of time. The expiration time can be configured. In addition, most of the time-out configurations and domain name whitelists involved in the spproxy module can be reloaded at regular intervals, so as to adjust the parameters of online services and increase the trust domain, the Service does not need to be restarted to invalidate the cache. However, spproxy still has some disadvantages: The response body that the callback returns to spproxy cannot be compressed and the spproxy will indicate this in the http header when requesting from the external domain, this will increase the read response time and bandwidth consumption of external domain websites. Currently, Spproxy only calculates the page Cache expiration time based on the max-age attribute in the cache-Control field in the http Response Header of the external Domain Server, in fact, the cache-control fields returned by many websites do not use max-age to indicate the cache expiration time. Currently, container Spproxy only supports the GET method and does not support other http methods, spproxy does not support any size of external domain pages, but you can change the configuration to the next step by changing the maximum page data volume it can receive, spproxy will make some improvements in resolving the cache-control field in the http response header to control the cache of the returned page more rationally. In addition, the next step will also support cross-origin requests through the POST method. To improve the security of cross-origin requests.

Author: ERDP Technical Architecture"