"Turn" browser origin policy and its avoidance method

Source: Internet
Author: User

The cornerstone of browser security is the "same-Origin policy" (Same-origin). Many developers know this, but they don't understand it all.

This article describes in detail the various aspects of the "same-origin policy" and how to circumvent it.

I. Overview of 1.1 Meanings

In 1995, the same-origin policy was introduced into the browser by Netscape Corporation. Currently, all browsers implement this policy.

Initially, it means that the Cookie,b page set on page A cannot be opened unless the two pages are "homologous". The so-called "homologous" refers to "three identical".

Same protocol
Same domain name
Same port
For example, http://www.example.com/dir/page.html this URL, the protocol is http://, the domain name is www.example.com, the port is 80 (the default port can be omitted). Its homologous situation is as follows.

    • Http://www.example.com/dir2/other.html: Homologous
    • Http://example.com/dir/other.html: Non-homologous (domain name is different)
    • Http://v2.www.example.com/dir/other.html: Non-homologous (domain name is different)
    • Http://www.example.com:81/dir/other.html: Non-homologous (port different)
1.2 Purpose

The purpose of the homologous policy is to ensure the security of user information and to prevent malicious websites from stealing data.

Imagine a situation where a site is a bank, users log in, and then visit other websites. What happens if other websites can read the Cookie of the A site?

Obviously, if a Cookie contains privacy (such as a total deposit), the information is leaked. What's more scary is that cookies are often used to save a user's login status, and if the user does not log out, the other sites can impersonate the user and do whatever they like. Because the browser also stipulates that the submission form is not subject to the same-origin policy restrictions.

Thus, the "homologous policy" is necessary, otherwise the Cookie can be shared, the Internet is not safe to speak of.

1.3 Limit Range

With the development of the Internet, "homologous policy" is becoming more and more stringent. At present, if the non-homologous, a total of three acts are limited.

(1) Cookies, localstorage and indexdb cannot be read.

(2) DOM is not available.

(3) AJAX requests cannot be sent.

While these restrictions are necessary, they are sometimes inconvenient and reasonable use is also affected. Below, I will describe in detail how to circumvent the above three restrictions.

Second, cookies

Cookies are a small piece of information that the server writes to the browser, and only the same-origin pages can be shared. However, the two page-level domain name is the same, except that the level two domain name is different, the browser allows to share cookies by setting Document.domain.

For example, a page is a Http://w1.example.com/a.html,B Web page is http://w2.example.com/b.html, so as long as the same document.domain set, two pages can share cookies.

Document.domain = ' example.com ';
A Web page now sets a Cookie through the script.

Document.cookie = "Test1=hello";
b Web page to read this Cookie.

var allcookie = Document.cookie;
Note that this method applies only to cookies and iframe windows, and Localstorage and INDEXDB cannot circumvent the same-origin policy in this way, but use the PostMessage API described below.

In addition, the server can also set the cookie when the domain name of the specified cookie is a first-level domain name, such as. example.com.

Set-cookie:key=value; domain=.example.com; path=/
In this case, the two-level domain name and the level three domain name do not have to do any settings, can read this cookie.

"Turn" browser origin policy and its avoidance method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.