"Turn" browser origin policy and its avoidance method

The cornerstone of browser security is the "same-Origin policy" (Same-origin). Many developers know this, but they don't understand it all.

This article describes in detail the various aspects of the "same-origin policy" and how to circumvent it.

I. Overview of 1.1 Meanings

In 1995, the same-origin policy was introduced into the browser by Netscape Corporation. Currently, all browsers implement this policy.

Initially, it means that the Cookie,b page set on page A cannot be opened unless the two pages are "homologous". The so-called "homologous" refers to "three identical".

Same protocol
Same domain name
Same port
For example, http://www.example.com/dir/page.html this URL, the protocol is http://, the domain name is www.example.com, the port is 80 (the default port can be omitted). Its homologous situation is as follows.

• Http://www.example.com/dir2/other.html: Homologous
• Http://example.com/dir/other.html: Non-homologous (domain name is different)
• Http://v2.www.example.com/dir/other.html: Non-homologous (domain name is different)
• Http://www.example.com:81/dir/other.html: Non-homologous (port different)

1.2 Purpose

The purpose of the homologous policy is to ensure the security of user information and to prevent malicious websites from stealing data.

Imagine a situation where a site is a bank, users log in, and then visit other websites. What happens if other websites can read the Cookie of the A site?

Obviously, if a Cookie contains privacy (such as a total deposit), the information is leaked. What's more scary is that cookies are often used to save a user's login status, and if the user does not log out, the other sites can impersonate the user and do whatever they like. Because the browser also stipulates that the submission form is not subject to the same-origin policy restrictions.

Thus, the "homologous policy" is necessary, otherwise the Cookie can be shared, the Internet is not safe to speak of.

1.3 Limit Range

With the development of the Internet, "homologous policy" is becoming more and more stringent. At present, if the non-homologous, a total of three acts are limited.

(1) Cookies, localstorage and indexdb cannot be read.

(2) DOM is not available.

(3) AJAX requests cannot be sent.

While these restrictions are necessary, they are sometimes inconvenient and reasonable use is also affected. Below, I will describe in detail how to circumvent the above three restrictions.

Second, cookies

Cookies are a small piece of information that the server writes to the browser, and only the same-origin pages can be shared. However, the two page-level domain name is the same, except that the level two domain name is different, the browser allows to share cookies by setting Document.domain.

For example, a page is a Http://w1.example.com/a.html,B Web page is http://w2.example.com/b.html, so as long as the same document.domain set, two pages can share cookies.

Document.domain = ' example.com ';
A Web page now sets a Cookie through the script.

Document.cookie = "Test1=hello";
b Web page to read this Cookie.

var allcookie = Document.cookie;
Note that this method applies only to cookies and iframe windows, and Localstorage and INDEXDB cannot circumvent the same-origin policy in this way, but use the PostMessage API described below.

In addition, the server can also set the cookie when the domain name of the specified cookie is a first-level domain name, such as. example.com.

Set-cookie:key=value; domain=.example.com; path=/
In this case, the two-level domain name and the level three domain name do not have to do any settings, can read this cookie.

"Turn" browser origin policy and its avoidance method