The root cause of cross-domain: JavaScript's homologous policy

Excerpt: 43148705

The same-origin policy restricts the way in which a source (origin) is loaded or scripted with resources from other sources (origin).

Same-origin definition

If two pages have the same protocol (protocol), the port (if specified), and the host, then the two pages belong to the same source (origin).

The following table shows an example of relative http://store.company.com/dir/page.html homology detection:

URL	Results	cause
http://store.company.com/dir2/other.html	Success
http://store.company.com/dir/inner/another.html	Success
https://store.company.com/secure.html	Failed	Different protocols
http://store.company.com:81/dir/etc.html	Failed	Different ports
http://news.company.com/dir/other.html	Failed	Host name is different

See Origin definition for file: URLs.

Source Inheritance

From about:blank , javascript: anddata:URLs中的内容，继承了将其载入的文档所指定的源，因为它们的URL本身未指定任何关于自身源的信息。

IE特例

在处理同源策略的问题上，IE存在两个主要的不同之处。

• 授信范围（Trust Zones）：两个相互之间高度互信的域名，如公司域名（corporate domains），不遵守同源策略的限制。
• 端口：IE未将端口号加入到同源策略的组成部分之中，因此Http://company.com:81/index.html and http://company.com/index.html belong to the same origin and are not subject to any restrictions.

These exceptions are non-standard and other browsers do not support it, but will help develop applications based on window RT ie.

Change Source

The page can change its source, but it is subject to some limitations. A script can set document.domain a value that is a suffix of the current field

There is one exception to the same-origin policy, where the script can set document.domain a value that is a suffix of the current field, and if so, the short domain will be used as the basis for subsequent homology detection. For example, suppose http://store.company.com/dir/other.html a script in is executing the following statement:

document.domain = "company.com";

After this statement is executed, the page will successfully pass the http://company.com/dir/page.html homologous detection of the pair. In the same vein, it company.com cannot be set document.domain to othercompany.com .

The browser saves the port number separately. Any assignment operations, including document.domain = documen.domain都会以null值覆盖掉原来的端口号。因此 scripts for company.com:8080 pages不能仅通过设置document.domain = "company.com"就能与company.com通信。赋值时必须带上端口号，以确保端口号不会为null。

附注：使用Document.domain来安全是让子域访问其父域，需要同时将子域和父域的document.domain设置为相同的值。必须要这么做，即使是简单的将父域设置为其原来的值。没有这么做的话可能导致授权错误。

Cross-domain network access

The same-Origin policy controls the interaction between different sources, such as when using or labeling, which is constrained by the same- XMLHttpRequest origin policy. Interactions are usually divided into three categories:

• Cross-domain write operations (Cross-origin writes) are generally allowed. such as links, redirects, and form submissions. A specific few HTTP requests need to be added preflight.
• Cross-domain resource embedding (Cross-origin embedding) is typically allowed. The following examples are shown below.
• Cross-domain read operations (Cross-origin reads) are not normally allowed. However, it is often possible to skillfully read access through embedded resources. For example, you can read the height and width of an embedded picture, call the inline script method, or availability of an embedded resource.

Here are some examples of resources that can be embedded across domains:

• <script src="..."></script>标签嵌入跨域脚本。语法错误信息只能在同源脚本中捕捉到。
• <link rel="stylesheet" href="...">标签嵌入CSS。由于CSS的松散的语法规则，CSS的跨域需要一个设置正确的Content-Type消息头。不同浏览器有不同的限制：IE, Firefox, Chrome, Safari (Jump to cve-2010-0051) section and Opera.
• embed the picture. The supported picture formats include Png,jpeg,gif,bmp,svg,...
• <video>and <audio> embed multimedia resources.
• <object>, <embed> and<applet>的插件。
• @font-faceThe imported font. Some browsers allow cross-domain fonts (cross-origin fonts), and some require homologous fonts (Same-origin fonts).
• <frame>and the <iframe>载入的任何资源。站点可以使用 X-frame-options the message header to prevent this form of cross-domain interaction.

Implementing Cross-Domain access

Use Cors for cross-domain access.

Block cross-domain access

• Prevents cross-domain writes, as long as a non-measurable token (CSRF token) is detected in the request, which is called the Cross-site request forgery (CSRF) token. This tag must be used to block the cross-site read operation of the page.
• To prevent cross-site reads of resources, you need to ensure that the resource is not embeddable. Blocking the embedding behavior is necessary because embedded resources typically expose information to it.
• Prevent cross-site embedding, ensuring that your resources cannot be in the embeddable resource format listed above. In most cases, browsers do not adhere to the Conten-type message header. For example, if you embed an HTML document in a <script> tag, the browser still parses the HTML into JavaScript. When your resource was not a entry point to your site, you can also use a CSRF token to prevent embedding.

Cross-domain Scripting API access

JavaScript APIs, such as, iframe.contentWindow window.parent , window.open and window.opener allow direct cross-referencing between documents. These references add restrictions to access to Window and location objects when the source of the two documents is not the same. You can use it window.postMessage as an alternative to provide communication between documents across domains.

Cross-domain data store access

Data stored in the browser, such as Localstorage and INDEXEDDB, is segmented with the source. Each source has its own separate storage space, and JavaScript scripts in one source cannot read and write to data belonging to other sources.

The Window.name property can be used to temporarily store data that can be accessed across domains.

Cookies use different source definition methods. A page can set a cookie for this domain and any parent domain, as long as the parent domain is not public suffix. Firefox and Chrome Use the public Suffix list to determine whether a domain is a common Suffix. Regardless of which protocol (HTTP/HTTPS) or port number is used, the browser allows the given domain and any of its subdomains (sub-domains) to access the cookie. When setting a cookie, you can use Domain,path,secure, and the http-only tag to qualify its accessibility. When you read a cookie, you don't know where it comes from. Despite the use of secure HTTPS connections, any visible cookie is set using an unsecured connection.

See

• Same-origin Policy for File:uris

• Same-origin Policy at the Consortium

The root cause of cross-domain: JavaScript's homologous policy