We all know that JavaScript can manipulate the content of the Web document, imagine, if this is not limited, then JS can do too much, the risk is too high, so that it can manipulate the content of which documents have a limit, this is the same-origin policy. Under what circumstances will the homologous strategy play a role? This strategy works when a Web page uses multiple <iframe> elements or opens another browser window. The meaning of the same-origin policy: The script can read only the properties of windows and documents that belong to the same source as the document. Here is a question of how a browser can tell if the source of the script has been judged by how the two are homologous. Note that the source of the script itself is not the basis for judging whether it is homologous, but rather the source of the document to which the script belongs. 1. Judging the script source for example: in document A through the script src reference an external script, the script is provided by Google, also from Google's host loaded into document A, then who is the document of this script, the answer is document A. 2. Determine if the origin of the script is understood, and then understand how to determine whether the same origin: if two documents
protocol, host, and URL ports for loading documentsThere are a few differences in these three points that they are not homologous. The same-origin strategy is a significant improvement in security, but this practice is "rather wrong to kill 3,000, not let go of one." If a multi-domain site needs to share attributes between different subdomains, the same-origin policy becomes annoying. Here are three ways to implement the "less restrictive homology strategy": 1. The domain property of the Document object by default, attribute domain holds the host name of the server on which the document is loaded. This property is writable. If two windows contain scripts that set domain to the same value, then the two windows are no longer constrained by the same-origin policy, and they can read each other's properties. 2. Cross-domain resource sharing (cross-origin Resource sharing) This method extends HTTP with the new "Origin:" Request header and the new response header "Access-control-allow-origin". 3. Cross-document messaging (cross-document Messaging) allows scripts from one document to pass text messages to scripts in another document, regardless of whether the source is the same. Call the PostMessage () method of the Window object to asynchronously pass the message event into the window's document. This approach is only a messaging technology.
Same-origin policy in JavaScript
