JavaScript cross-domain issues

Now a lot of people especially front-end developers, in the AJAX request, the process of XMLHttpRequest encounter a problem, that is, cross-domain requests:

When our JavaScript script tries to access across domains, the browser tells you a message similar to the No ' Access-control-allow-origin ' header is present on the requested resource.

But I sometimes have a strong need for cross-domain requests, such as the need to fetch some data from other sites (there are now many ways to support cross-domain, but this is not what this article is about). Originally this is a browser policy----"homologous policy".

1. What is the homologous strategy (same origin policy)?

The so-called homologous strategy, which is one of the most basic security policies of the browser. It limits the read and write operations of the current document to a document or script that comes to a different source.

Why this strategy, presumably you already know, is to ensure that the user's information security.

2. If there is no homologous strategy

Assuming that there are now a.com and B.Com two domains, if there is no such security policy, then when the user accesses a.com, a script of a.com can modify or get the contents of B.Com without loading the B.Com page. This will cause the page in the B.Com page to be cluttered and even information retrieved, including the session from the server side. In this way, our web world will be a mess. Also because the browser of the same-origin policy, to ensure that the objects come to different sources do not interfere with each other, to ensure that we access the page the most basic security.

3. What is a cross-domain?

Access to the same source resources is allowed by the browser, but if you access resources from different sources, the browser is not allowed by default. Accessing resources from different sources that's what we call cross-domain

Image source: http://www.cnblogs.com/rainman/archive/2011/02/20/1959325.html

From the table can be seen domain names, sub-domain names, port numbers, different protocols are different sources, when the script is considered to come to different sources, are rejected by the browser request.

4. SRC can be cross-domain

It is important to note that all tags with the "src" attribute in the document can load resources across domains without being constrained by the same-origin policy.

such as <script>, , <iframe>, <link> and so on. If you define these tags on the page, the page load event initiates a GET request for resources from different sources. However, through SRC-loaded resources, the browser restricts the script from reading and writing to the content it returns . Especially when it comes to Ajax requests, it's especially important to note that XMLHttpRequest is not accessible across domains.

5. Note

<script src= ' a.com/a.js ' ></script> for pages,A.js is run on B.Com when we b.com to load non-homologous resources on the page. So for the current page, the source of A.js (origin) is B.Com instead of a.com.

Therefore, the domain a.com of the resources stored within the page is not important, and it is important that the domain b.comthe page where the resource is loaded.

JavaScript cross-domain issues