JavaScript homology policy and web security

The same-origin policy restricts a document or script that is loaded at origin to interact with resource from another origin. The same-origin policy is a security mechanism for isolating potentially malicious web pages.

Definition of the source

Two Web pages are considered to have the same origin only if they have the same protocol,port and host.

For example, http://xxx.yyy.com:8000/zzz/page.html and http://xxx.yyy.com:8000/kkk/index.html have the same origin

about:blank, javascript: and data: URLs inherit origin from the file that loads that URL.

The same-origin policy controls interoperability between disparate sources, such as when you use XMLHttpRequest or a element. These interop (interactions) are typically placed in three category:

• Cross-origin writes are usually allowed, such as links,redirect, or submit a form form.
• Cross-origin embedding is also usually permitted, for example:
• use <script src= "..." ></script> introduced JavaScript, in which case error messages about syntax errors exist only in the same-origin script; (content-type:text/ JavaScript or Application/javascript)
• uses the <link rel= "stylesheet" href= "..." > to introduce the CSS. Note Because of the CSS syntax rule, cross-domain CSS requires a suitable content-type header (CONTENT-TYPE:TEXT/CSS)
• to use the tags introduced in the picture, including Png,jpeg, Gif,bmp,svg, etc...
• use <video><embed> or <applet> to introduce plug-in
• Fonts introduced with @font-face. But be aware that while Chrome works well, some browsers, such as Firefox,ie, may not allow non-homologous font files to be loaded, in which case if you use your own CDN network (which is common), you need to configure the

  # Apache config<filesmatch ". ( Eot|ttf|otf|woff) ">header set Access-control-allow-origin" * "</FILESMATCH>  

• • Anything that uses <frame> and <iframe> introduces. Note: A website can be used X-Frame-Options to prevent your own page from being frame by someone else!
• Cross-origin read generally is not allowed, but generally if the embed way to invoke it will often leak the partial Read permission. For example, you can read the width and height of the embedded image

How do I allow cross-origin access? Use the cors mechanism.

var New XMLHttpRequest (); var url = ' http://bar.other/resources/public-data/';    function Callotherdomain () {  if(invocation) {        Invocation.open (true) ;     = handler;    Invocation.send ();   }}

get/resources/public-data/http/1.1host:bar.otheruser-agent:mozilla/5.0 (Macintosh; U Intel Mac OS X 10.5; En-us; Rv:1.9.1b3pre) gecko/20081130 minefield/3.1b3preaccept:text/html,application/xhtml+xml,application/xml;q=0.9,*/* ; q=0.8accept-language:en-us,en;q=0.5accept-encoding:gzip,deflateaccept-charset:iso-8859-1,utf-8;q=0.7,*;q= 0.7connection:keep-alivereferer:http://foo.example/examples/access-control/simplexsinvocation.htmlOrigin: Http://foo.exampleaccess-control-allow-origin: *keep-alive:timeout=2, max=100connection: Keep-alivetransfer-encoding:chunkedcontent-type:application/xml

How to block cross-domain (source ) Access to it?

• for The organization Cross-origin writes by judging a token that is not easily guessed in the request (CSRF) token. Note You must stop Cross-origin reads of pages that know this token.
• to stop Cro Ss-origin reads of a resource, it must be ensured that it cannot be embedded (not embeddable). Usually, we need to stop embedding, because embedding a resource will usually leak some of its information!
• to prevent cross-origin embedding, make sure that your resources cannot be translated into any of the embeddable formats described above. Browsers do not respect content-type in most cases. For example, if you point <script>tag to an HTML document, Then the browser will do its best to parse the HTML into JavaScript. When your resource is not a portal to your site, you can use CSRF token to block embedding.

Cross-orgin Script API Access

Javascript APIs, such as Iframe.contentwindow, Window.parent, Window.open,window.opener allow documents to refer to each other directly. When two document sources are different, these reference only have a fairly limited access to window and location objects, which are listed separately below.

Https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

JavaScript homology policy and web security