A URL consists of four parts. For example, www.2cto.com (the default port of http is 80, and the default port of https is 443. If it is the default port, it can be omitted, so this URL is equivalent to www.2cto.com: 80
Protocol: http
HOST: www.2cto.com
Port: 80
Path :/
The so-called same source is the protocol that requires this URL. The host and port are all the same. Generally, the domain or domain is also the source concept here.
The preceding URL has the following results:
Other URLs |
Same source? |
Cause |
Http://blog.csdn.net/xilang/index.html |
Yes |
|
Http://blog.csdn.net/yanical/othersub |
Yes |
|
Https://blog.csdn.net/yanical |
No |
Different protocols and ports |
Http://blog.csdn.net: 81/yanical. |
No |
Different ports |
Http://www.csdn.net/ |
No |
Different Hosts |
There is an exception. javascript can modify the host and port values by setting document. domain. If this is done, the set value will be used as the standard for the same-source policy check. For example, for http://blog.csdn.net/yanicaland http://bbs.csdn.net/, you can execute the following javascript:
[Javascript] document. domain = "csdn.net ";
In this way, the two pages are the same source. For security reasons, it cannot be set to another primary domain, such as http://www.csdn.net/or Sina.com.
We can see that only the host part is set in javascript, and the port part is not mentioned. In fact, when executing the javascript above, the port is also set and set to null. So for http://blog.csdn.net: 81/yanical and retail.
The same-origin policy was first used to prevent a source js from getting or modifying the document attributes of another source. The javascript source here refers to the source of loading the HTML page of javascript, instead of the javascript source.
For example, there are two HTML and two javascript. .
Test.html:
[Html] <! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<Html>
<Head>
</Head>
<Body>
<Iframe id = "vFrame" name = "vFrame" src = "http: // 127.0.0.1/content/frame.html"> </iframe>
</Body>
<Script language = "javascript" src = "http: // 127.0.0.1/content/otherdomain. js"> </script>
<Script language = "javascript" src = "http: // localhost/content/samedomain. js"> </script>
<Script>
Document. write ('------ write from test.html ');
Alert (document. getElementById ('vframework'). contentDocument. body. innerHTML = '------ overwrite frame from test.html ';
</Script>
</Html>
Frame.html:
[Html] <! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<Html>
<Head>
</Head>
<Body>
<Script>
Document. write ('------ write from frame.html ');
</Script>
</Body>
</Html>
Otherdomain. js:
[Javascript] document. write ('------ write from otherdomain. js ');
Samedomain. js:
[Javascript] document. write ('------ write from samedomain. js ');
Visit http: // localhost/test.html. The execution result is as follows:
We can see that test.htmland otherdomain.js are different sources, but they are the same source because otherdomain.jsis loaded in test.html. But test.htmland frame.html are not the same source, and the browser blocks the modification request.
The same-origin policy is also used to determine whether an XMLHTTPRequest (AJAX) is valid. A page can only initiate AJAX requests to the same source server.
It should be noted that the same-origin policy of Cookie is slightly different from that of javascript, that is, Cookie ignores the protocol.
Original from paper